Daily Tech Digest - March 14, 2024

Heated Seats? Advanced Telematics? Software-Defined Cars Drive Risk

The main issue is that this next generation of cars has fewer platforms and SKUs but more advanced telematics and software interfaces. This results in less retooling of assembly lines at factories, but a bigger code base also means more exploitable vulnerabilities. And with the over-the-air (OTA) capabilities that these cars offer, those attacks could potentially be carried out remotely. ... "In some ways, software-defined vehicles increase the opportunity for you to make a mistake," says Liz James, a senior security consultant at NCC Group, a cybersecurity consultancy that does assessments of vehicle cybersecurity. "The more complex your software stack gets, the more likely you are to have implementation bugs, and now you also have software installed that might never be run, which runs counter to traditional embedded system advice." It's not just traditional vulnerabilities at issue. With the move to SDVs, cars increasingly resemble cloud infrastructure with virtual machines, hypervisors, and application programming interfaces (APIs), and with the increased complexity comes greater risk of failure, says John Sheehy

Cloud Native Companies Are Overspending on CVE Management

One major factor is software consumers are voracious, demanding new features built rapidly. This means software engineers with tight timelines are begrudgingly accepting the cloud native default — containers with CVEs. If the functionality works, scanning for CVEs (much less fixing them) is an afterthought. Another key factor is the software application developers who usually select a container image — often through making a few edits to a Dockerfile — are often not the ones bearing the downstream costs of vulnerability management. Finally, creating software that is easy to update is difficult. While it’s at the core of the DevOps philosophy, it’s hard to do in practice. Changing a piece of software, even to fix a CVE, often risks product downtime and frustrated customers. Consequently, many software organizations find it painful to make even minor changes to their software. ... For the particularly unfortunate, the debt comes due all at once as a consequence of hackers exploiting a CVE to access a system. That cost may be millions of dollars in reputational loss, lawsuits and ransomware.

CISO Role Shifts from Fear to Growth

“The results underscore the importance of strategic collaboration between CISOs and CIOs, highlighting the need for a unified approach to cybersecurity that aligns with broader business objectives,” says Frank Dickson, Group Vice President of Security and Trust at IDC. “Check Point's commitment to pioneering cybersecurity solutions supports this evolution, enabling organisations to navigate these challenges successfully.” ... As organisations are looking to modernise IT infrastructures as a foundation for digital transformation, Check Point and IDC found there is a need for security strategies that support, rather than hinder, progress. Despite such fast-paced growth, a trust gap remains in the cybersecurity landscape, with a majority of businesses and customers expressing concerns about technology being used unethically. With this in mind, Check Point and IDC cite in their survey a transformation towards security as a business enabler - shifting away from fear-based security postures towards growth-oriented strategies. This evolution is supported by Check Point's emphasis on simplifying and consolidating security solutions to address cost and management inefficiencies effectively. 

How AI has already changed coding forever

Seven says he sees both bottom-up approaches (a developer or team has success and spreads the word) and top-down approaches (executive mandate) to adoption. What he’s not seeing is any sort of slowdown to generative AI innovation. Today we use things like CodeWhisperer almost as tools—like a calculator, he suggests. But a few years from now, he continues, we’ll see more of “a partnership between a software engineering team and the AI that is integrated at all parts of the software development life cycle.” In this near future, “Humans start to shift into more of a [director’s] role…, providing the ideas and the direction to go do things and the oversight to make sure that what’s coming back to us is what we expected or what we wanted.” As exciting as that future promises to be for developers, the present is pretty darn good, too. Developers of any level of experience can benefit from tools like Amazon CodeWhisperer. How developers use them will vary based on their level of experience, but whether they should use them is a settled question, and the answer is yes.

How can you ensure your Zero Trust Network Access rollout is a success?

As with any large project, buy-in from the board is essential for a successful ZTNA rollout. Getting senior leadership on side from the outset will make it far easier to secure the budget and resources required and enable the project to proceed smoothly. To achieve this, it's best to focus on the value in terms of outcomes for the business including security benefits and other advantages, such as regulatory compliance. Consider starting with a small pilot project first when it’s time to start implementation. Small but high-risk groups such as contractors and seasonal workers are a good starting point. A successful rollout here will showcase the benefits of Zero Trust to secure further leadership support and highlight any issues to work out ahead of larger implementations. It's also worth noting that, while it can be highly modular, ZTNA is still a complex endeavour that takes time and expertise. Bringing in project managers and consultants can help provide more specialist experience alongside your in-house IT and security personnel.

A Call to Action via Modular Collaboration

The transition towards Modular Open Systems Approaches (MOSA) necessitates a collaborative ecosystem where government entities, industry partners, and academic institutions converge. Consortia embody this spirit of cooperation by pooling resources, knowledge, and expertise to drive shared innovation and standardization. This collective approach not only accelerates the development of interoperable and modular technologies but also fosters a culture of continuous improvement, critical for adapting to the ever-evolving landscape of defense technology. Modular contracting offers a practical framework for implementing the principles of action and collaboration. By decomposing large projects into smaller efforts, just as we decompose complex systems to manageable components, we achieve an approach that is modular and allows for greater flexibility, risk mitigation, and the inclusion of innovative solutions from a broader range of contributors. Modular contracting supports agile acquisition processes, facilitating rapid iteration, and deployment of new technologies, thereby enhancing the defense sector’s capability to respond to emerging threats and opportunities.

Akamai, Neural Magic team to bolster AI at the network edge

The combination of technologies could solve a dilemma that AI poses: whether it’s worth it to put computationally intensive AI at the edge—in this case, Akamai’s own network of edge devices. Generally, network experts feel that it doesn’t make sense to invest in substantial infrastructure at the edge if it’s only going to be used part of the time. Delivering AI models efficiently at the edge also “is a bigger challenge than most people realize,” said John O’Hara, senior vice president of engineering and COO at Neural Magic, in a press statement. “Specialized or expensive hardware and associated power and delivery requirements are not always available or feasible, leaving organizations to effectively miss out on leveraging the benefits of running AI inference at the edge.” ... “As we observe attacks shifting over time from not only exploiting very specific vulnerabilities but increasingly including more nuanced application-level abuse, having AI-aided anomaly detection capabilities can be helpful,” he said. “If partnerships such as this one open the door for increased use of deep learning and generative AI by more developers, I view this as positive.”

Foundations of Data in the Cloud

With the structure of data management in the cloud laid out, it's time to talk about security. After all, what good is a skyscraper if it's not safe? Data security in the cloud is a multifaceted challenge that involves protecting data at rest, in transit, and during processing. Encryption is the steel-reinforced door of our data house. It ensures that even if someone gets past the perimeter defenses, they can't make sense of the data without the right key. Cloud providers offer various encryption options, from server-side encryption for data at rest to SSL/TLS for data in transit. In this article, we spoke about encryption options for your data at rest. But security doesn't stop at encryption. It also involves identity and access management (IAM), ensuring that only authorized personnel can access certain data or applications. Think of IAM as the security guard at the entrance, checking IDs before letting anyone in. Moreover, regular security audits and compliance checks are like routine maintenance checks for a building. As we continue to build and innovate in the cloud, these practices must evolve to counter new threats and meet changing regulations.

A call for digital-privacy regulation 'with teeth' at the federal level

The US government and Americans in general are letting big tech companies get away with infringing the online privacy of millions of citizens who use "free" services in the form of apps and websites. Big tech's goal is to connect advertisers with an ideal customer, who, because of some online interaction, is perceived as being more likely to buy products like the ones the advertiser is selling. These tech companies collect information including search data, purchase history, payment information, facial recognition data, documents, photos, videos, locations, Wi-Fi location, IP address, birth date, mailing address, email address, phone number, activities or interactions such as videos watched, app use, emails sent and received, activity on your device, phone calls — and a lot more. ... It should come as no surprise that the companies tracking users employ cryptic legal language to explain what they do with your data. And whatever privacy controls users might have been provided tend to be incomplete, spread out, difficult to find, ambiguous, or needlessly complex. Plus, both the legalese and privacy settings can change without notice.

Demonstrating the Value of Data Governance

According to Hook, quantifying cost savings “is the easiest and most effective way to show value.” He advises turning intangible wins into tangible ones. For example, a data scientist spends less time cleaning data due to better Data Quality serviced by the Data Governance program and adds a testimonial. A DG manager can interview the data scientist to determine the time saved and use Glassdoor PayScale, a popular platform to research salary costs freed up for that person to do more impactful work. Although this approach does not include revenue generated by Data Governance, “it remains the most popular way to get the hard dollars,” Hook observed. ... The second-most impactful way to show the value of Governance calls attention to tangible wins. Examples include product optimization, speed to market, effective decision-making, or revenue-generating opportunities. Hook noted that people generally do not expect to realize profitable value from DG services. However, these results indicate that the DG program has value and can be sustained as a pro. On the con side, sticking with only tangible wins limits evidence to the past or present and does not provide information on future capabilities.

Quote for the day:

“There is only one thing that makes a dream impossible to achieve: the fear of failure.” -- Paulo Coelho

No comments:

Post a Comment