Daily Tech Digest - January 13, 2024

Frenemies to friends: Developers and security tools

Cultural shifts happen when security is built into the developer’s existing flow, as opposed to being injected as its own new stage in the pipeline. Look for points in their process where they are already in “pause” or “edit” mode, like at the Pull Request, where you can surface vulnerabilities and ask for remediation efforts. Doing so can avoid context switching and feelings of being interrupted. Capitalizing on an existing developer pause point can help train your developers to look at security vulnerabilities like functionality bugs, a skill they already have, while also shortening feedback loops. ... Developer-to-developer enablement is key. There is often a feeling of mistrust between engineering and security, but developers share the same interests and have the same priorities. Let individual contributors have an opportunity to educate and enable other individual contributors. If you have had a successful pilot or PoC team, or notice self-motivated folks using the tool proactively, give them space to share their experience with the tool. 

The Joys and Pains of DevOps

DevOps is very much a culture change in the way development, operations and even security work together. Even though DevOps aims to improve this, in many cases, these areas still function in silos. There are times when one area implements something that blocks another; and as a DevOps leader, you’re often in the middle trying to figure out the best path forward while also finding an acceptable middle ground. ... A well-engineered DevOps solution should render the team invisible. That includes both the happy path, when deployments succeed, as well as how well you enable teams to solve their deployment issues. There is also one common element of what makes DevOps rewarding: improving developer experience and business outcomes. Dale Francis, director of product development at Climavision, says the rewards of DevOps come from solving problems, so day-to-day operations become simple and the experience for developers better. In addition, maturing as a DevOps organization also lets everyone focus more on solving business problems, rather than fighting technical issues. 

Why Engineering Is Key To A Flourishing Workplace Culture

If your engineering strategy demands precision but your workplace culture tolerates ambiguity and shortcuts, you won't get anywhere. If your engineering strategy demands accountability but your workplace culture doesn't draw connections between an individual's efforts and the higher goals of the operation, you won't get anywhere. If your engineering strategy demands innovation but your workplace culture rewards risk aversion, you won't get anywhere. ... In an arena as complex and technical as engineering, it's easy to lose sight of the human side. Whether your workplace is in-person, remote or hybrid, it's crucial to create spaces (literal or virtual) where employees feel connected and empowered to ask questions. Trust and creativity flourish in an environment where autonomy and authentic connections coexist. ... Inertia is fatal to engineering. Regularly evaluate and adopt new technologies. Find out what your customers need. Find out what hurdles they're up against. Think three steps ahead so your tech stack supports the evolving needs of your business and the market.

Life's Too Short to Work With Incompatible People

Celebrate failure and learn to give feedback. When you embrace failure, you learn and course-correct more quickly. Failure is a sign you're doing something right. You're testing, learning, flexing your creative muscles and moving on efficiently after hitting a brick wall. You must build a team open to feedback to make the most of your failures for the company's good. Feedback is the mode by which we make positive changes out of failure. The challenge? Feedback makes most people cringe. We associate it with criticism as opposed to growth. ... Clear communication may seem like an obvious necessity on high-performing teams, but it's something that's often taken for granted. Unclear communication can quickly tank a team's efforts. A team that has mastered precise communication, on the other hand, can achieve incredible outcomes quickly. We follow an "open book" mentality at Wistia. On all-hands calls, we share candid information about the state of the company – inclusive of the good and the bad – so everyone has the big picture. 

Researchers demo new CI/CD attack techniques in PyTorch supply-chain

Khan initially found a critical vulnerability that could have led to the poisoning of GitHub Actions’ official runner images. The “runners” are the VMs that execute build actions defined inside GitHub Actions workflows. After reporting the vulnerability to GitHub and receiving a $20,000 bug bounty for it, Khan realized that the core issue he found was systemic and that thousands of other repositories were likely impacted. Since then, Khan and Stawinski found vulnerabilities in the software repositories and development infrastructure of major corporations and software projects and collected hundreds of thousands of dollars in rewards through bug bounty programs. Their “victims” included Microsoft Deepspeed, a Cloudflare application, the TensorFlow machine-learning library, the crypto wallets and nodes of several blockchains, and PyTorch, one of the most widely used open-source machine-learning frameworks. PyTorch was originally developed by Meta AI, a subsidiary of Meta, but its development is now governed by the PyTorch Foundation, an independent organization that operates under the Linux Foundation’s umbrella.

For a Secure Foundation, Health Systems Must Address Technical Debt

We need update network equipment, workstations. We may still even have Windows 2003 and 2008. And hardware is not as expensive as the applications that are on there. So that level of technical debt and competing for those dollars where in healthcare you need to have nice offices and that type of thing. So we’re competing with those, with other projects or capital where other organizations may think of that as just an ongoing IT update expense. ... I might hear this stuff at home occasionally, but it’s the same with IT projects. “Hey, we had an acquisition. We got them up and running. We didn’t take care of their technical debt so we’re assuming that.” We’re going through some of those servers now, it’s like, can we even find anybody that knows anything about it, or is it just everyone’s afraid to turn it off? What I like to say is if you didn’t sit around the right campfire, you don’t know the story. So for me, my job sometimes is just to keep asking those questions: “Who knows something about this server?” Sometimes it comes down to the scream test, but I’ve developed a quality, I call it positive persistence. I just keep asking questions politely until we make progress.

The way forward is to make technology 'human-like': Report

As the world undergoes a massive technological transformation, artificial intelligence (AI) and other disruptive technologies will increasingly adopt a more human-like or "Human by Design" approach, according to a new study published on Wednesday. These technologies becoming more human-like and intuitive for people to use, will increasingly lead to a new era of unprecedented productivity and creativity, said the report, titled 'Accenture Technology Vision 2024: Human by design, how AI unleashes the next level of human potential,' which also emphasizes that enterprises that prepare for this shift now will be the winners in the future. The research further highlights that as human-centric technologies continue to advance, they are becoming easier to interact with and more seamlessly integrated into every aspect of our lives. ... As AI, spatial computing, and body-sensing technologies evolve to imitate human capabilities and become less noticeable, the true focus will be on the people who are empowered with new capabilities to achieve what was once considered impossible.

Expert Insight: Andrew Snow on a landmark GDPR ruling

For organisations, it makes clear beyond all doubt that ignorance isn’t an excuse. In fact, if organisations – or managers within them – plead ignorance to the infringement now, they may face a higher fine than if they had taken responsibility for their actions. For regulators, an important precedent has been set. This ruling has provided them with clear direction on where the line falls when deciding on issuing administrative penalties, including fines. For instance, the EDPB [European Data Protection Board] recently reported on another case, involving the Slovak and Hungarian authorities, where there was a dispute over the ownership. The Hungarian regulator ultimately determined that both parties jointly determined the purposes of processing, so were joint controllers – and as such, breached the GDPR because their agreement failed to document this and, by extension, their respective responsibilities. Given the timing of this decision, it probably wasn’t influenced by the ECJ ruling, but I expect that future cases like this would use the ruling as a precedent.

What Are Digital Twins and How Can They Be Used in Healthcare?

Trayanova’s research is on applying personalized digital twin approaches to clinical decision-making. She aims to improve predictive diagnostics and to predict optimal treatment plans for patients. This is currently being used to treat patients with heart rhythm disorders. At Johns Hopkins, Trayanova and her team can create a personalized digital twin representing the geometry of a patient’s heart. The digital twin includes the heart’s structure; disease remodeling such as damage, fibrosis and inflammation identified through MRI or PET scans; and its electrical wave propagation. When an electrical wave propagates to the heart, it triggers a contraction. However, if a patient has scarring or other damage, the wave will catch in that area and, rather than propagating through the heart, it will recirculate and cause an arrythmia. To treat the arrythmia, the digital twin must accurately represent the damage as well as the electrical activity of each cell in the heart. “Now you have something that dynamically links the heart’s components,” Trayanova says. Using the digital twin, she and her team can send a signal and watch how the electrical wave propagates through the model. 

What will the metaverse mean for business models?

In media and entertainment, the primary model of business has evolved from ownership to subscription. In the past, most people bought CDs and DVDs to build a collection – today, owning vinyl is booming in popularity again. But for the majority of people, the accepted model is accessing songs, films and TV series online and building your own virtual library. The difference is that if you stop paying the subscription, you have nothing. Will it be the same in the metaverse? We’ll have to wait and see. But it’s safe to assume that people will want ownership of their assets without paying a subscription (except for the wallet that protects them). To complicate things, there is the question of what role content from Generative AI will play in metaverse business models. Today, it’s generally accepted that no one owns work created by Generative AI. But won't this change? In fact, this assumption may even be wrong – in the UK for example, the law implies that the creators of the AI platform own anything wholly created by it. 

Quote for the day:

"Great leaders do not desire to lead but to serve." -- Myles Munroe

No comments:

Post a Comment