Only DevSecOps can save the metaverse
We’ve previously talked about “shifting left,” or DevSecOps, the practice of
making security a “first-class citizen” when it comes to software development,
baking it in from the start rather than bolting it on in runtime. Log4j,
SolarWinds, and other high-profile software supply chain attacks only underscore
the importance and urgency of shifting left. The next “big one” is inevitably
around the corner. A more optimistic view is that far from highlighting the
failings of today’s development security, the metaverse might be yet another
reckoning for DevSecOps, accelerating the adoption of automated tools and better
security coordination. If so, that would be a huge blessing to make up for all
the hard work. As we continue to watch the rise of the metaverse, we believe
supply chain security should take center stage and organizations will rally to
democratize security testing and scanning, implement software bill of materials
(SBOM) requirements, and increasingly leverage DevSecOps solutions to create a
full chain of custody for software releases to keep the metaverse running
smoothly and securely.EU Parliament, Council Agree on Cybersecurity Risk Framework
"The revised directive aims to remove divergences in cybersecurity requirements
and in implementation of cybersecurity measures in different member states. To
achieve this, it sets out minimum rules for a regulatory framework and lays down
mechanisms for effective cooperation among relevant authorities in each member
state. It updates the list of sectors and activities subject to cybersecurity
obligations, and provides for remedies and sanctions to ensure enforcement,"
according to the Council of the EU. The directive will also establish the
European Union Cyber Crises Liaison Organization Network, EU-CyCLONe, which will
support the coordinated management of large-scale cybersecurity incidents. The
European Commission says that the latest framework is set up to counter Europe's
increased exposure to cyberthreats. The NIS2 directive will also cover more
sectors that are critical for the economy and society, including providers of
public electronic communications services, digital services, waste water and
waste management, manufacturing of critical products, postal and courier
services and public administration, both at a central and regional level.Catalysing Cultural Entrepreneurship in India
What constitutes CCIs varies across countries depending on their diverse
cultural resources, know-how, and socio-economic contexts. A commonly accepted
understanding of CCIs comes from the United Nations Educational, Scientific and
Cultural Organization (UNESCO), which defines this sector as “activities whose
principal purpose is production or reproduction, promotion, distribution or
commercialisation of goods, services, and activities of a cultural, artistic, or
heritage-related nature.”, CCIs play an important role in a country’s economy:
they offer recreation and well-being, while spurring innovation and economic
development at the same time. First, a flourishing cultural economy is a driver
of economic growth as attaching commercial value to cultural products, services,
and experiences leads to revenue generation. These cultural goods and ideas are
also contributors to international trade. Second, although a large workforce in
this space is informally organised and often unaccounted for in official labour
force statistics, cultural economies are some of the biggest employers of
artists, craftspeople, and technicians. Rethinking Server-Timing As A Critical Monitoring Tool
Server-Timing is uniquely powerful, because it is the only HTTP Response header that supports setting free-form values for a specific resource and makes them accessible from a JavaScript Browser API separate from the Request/Response references themselves. This allows resource requests, including the HTML document itself, to be enriched with data during its lifecycle, and that information can be inspected for measuring the attributes of that resource! The only other header that’s close to this capability is the HTTP Set-Cookie / Cookie headers. Unlike Cookie headers, Server-Timing is only on the response for a specific resource where Cookies are sent on requests and responses for all resources after they’re set and unexpired. Having this data bound to a single resource response is preferable, as it prevents ephemeral data about all responses from becoming ambiguous and contributes to a growing collection of cookies sent for remaining resources during a page load.Scalability and elasticity: What you need to take your business to the cloud
At a high level, there are two types of architectures: monolithic and
distributed. Monolithic (or layered, modular monolith, pipeline, and
microkernel) architectures are not natively built for efficient scalability
and elasticity — all the modules are contained within the main body of the
application and, as a result, the entire application is deployed as a single
whole. There are three types of distributed architectures: event-driven,
microservices and space-based. ... For application scaling, adding more
instances of the application with load-balancing ends up scaling out the other
two portals as well as the patient portal, even though the business doesn’t
need that. Most monolithic applications use a monolithic database — one of the
most expensive cloud resources. Cloud costs grow exponentially with scale, and
this arrangement is expensive, especially regarding maintenance time for
development and operations engineers. Another aspect that makes monolithic
architectures unsuitable for supporting elasticity and scalability is the
mean-time-to-startup (MTTS) — the time a new instance of the application takes
to start. Proof of Stake and our next experiments in web3
Proof of Stake is a next-generation consensus protocol to secure blockchains.
Unlike Proof of Work that relies on miners racing each other with increasingly
complex cryptography to mine a block, Proof of Stake secures new transactions
to the network through self-interest. Validator's nodes (people who verify new
blocks for the chain) are required to put a significant asset up as collateral
in a smart contract to prove that they will act in good faith. For instance,
for Ethereum that is 32 ETH. Validator nodes that follow the network's rules
earn rewards; validators that violate the rules will have portions of their
stake taken away. Anyone can operate a validator node as long as they meet the
stake requirement. This is key. Proof of Stake networks require lots and lots
of validators nodes to validate and attest to new transactions. The more
participants there are in the network, the harder it is for bad actors to
launch a 51% attack to compromise the security of the blockchain. To add new
blocks to the Ethereum chain, once it shifts to Proof of Stake, validators are
chosen at random to create new blocks (validate).Is NLP innovating faster than other domains of AI
There have been several stages in the evolution of the natural language
processing field. It started in the 80s with the expert system, moving on to
the statistical revolution, to finally the neural revolution. Speaking of the
neural revolution, it was enabled by the combination of deep neural
architectures, specialised hardware, and a large amount of data. That said,
the revolution in the NLP domain was much slower than other fields like
computer vision, which benefitted greatly from the emergence of large scale
pre-trained models, which, in turn, were enabled by large datasets like
ImageNet. Pretrained ImageNet models helped in achieving state-of-the-art
results in tasks like object detection, human pose estimation, semantic
segmentation, and video recognition. They enabled the application of computer
vision to domains where the number of training examples is small, and
annotation is expensive. One of the most definitive inventions in recent times
was the Transformers. Developed at Google Brains in 2017, Transformers is a
novel neural network architecture and is based on the concept of the
self-attention mechanism. The model outperformed both recurrent and
convolutional models.
Before you get too excited about Power Query in Excel Online, though, remember
one important difference between it and a Power BI report or a paginated
report. In a Power BI report or a paginated report, when a user views a
report, nothing they do – slicing, dicing, filtering etc – affects or is
visible to any other users. With Power Query and Excel Online however you’re
always working with a single copy of a document, so when one user refreshes a
Power Query query and loads data into a workbook that change affects everyone.
As a result, the kind of parameterised reports I show in my SQLBits
presentation that work well in desktop Excel (because everyone can have their
own copy of a workbook) could never work well in the browser, although I
suppose Excel Online’s Sheet View feature offers a partial solution. Of course
not all reports need this kind of interactivity and this does make
collaboration and commenting on a report much easier; and when you’re
collaborating on a report the Show Changes feature makes it easy to see who
changed what.
Given that observability is an analytics problem, it is surprising that the
current state of the art in observability tools has turned its back on the
most common standard for data analysis broadly used across organizations: SQL.
Good old SQL could bring some key advantages: it’s surprisingly powerful, with
the ability to perform complex data analysis and support joins; it’s widely
known, which reduces the barrier to adoption since almost every developer has
used relational databases at some point in their career; it is well-structured
and can support metrics, traces, logs, and other types of data (like business
data) to remove silos and support correlation; and finally, visualization
tools widely support it. ... You're probably thinking that observability data
is time-series data that relational databases struggle with once you reach a
particular scale. Luckily, PostgreSQL is highly flexible and allows you to
extend and improve its capabilities for specific use cases. TimescaleDB builds
on that flexibility to add time-series superpowers to the database and scale
to millions of data points per second and petabytes of data.
Ultimately, IT security is all about keeping the company safe from damages —
financial damages, operational damages, reputational and brand damages. You’re
trying to prevent a situation that not only will harm the company’s
well-being, but also that of its employees. That is why we need to explain the
actual threats and how incidents occur. Explain what steps can be taken to
lower the chances and impact of those incidents occurring and show them how
they can be part of that. People love learning new things, especially if it
has something to do with their daily work. Explain the tradeoffs that are
being made, at least in high-level terms. Explain how quickly convenience,
such as running a machine as an administrator, can lead to abuse. Not only
will the companies appreciate you for your honesty, but they will have the
right answer the next time the question comes up. They’ll think along the
constraints and find new ways of adding value to the business, while removing
factors from their daily work that might result in one less incident down the
line.
Quote for the day:
"Real leadership is being the person others will gladly and confidently follow." -- John C. Maxwell
Observability Powered by SQL: Understand Your Systems Like Never Before With OpenTelemetry Traces and PostgreSQL
Given that observability is an analytics problem, it is surprising that the
current state of the art in observability tools has turned its back on the
most common standard for data analysis broadly used across organizations: SQL.
Good old SQL could bring some key advantages: it’s surprisingly powerful, with
the ability to perform complex data analysis and support joins; it’s widely
known, which reduces the barrier to adoption since almost every developer has
used relational databases at some point in their career; it is well-structured
and can support metrics, traces, logs, and other types of data (like business
data) to remove silos and support correlation; and finally, visualization
tools widely support it. ... You're probably thinking that observability data
is time-series data that relational databases struggle with once you reach a
particular scale. Luckily, PostgreSQL is highly flexible and allows you to
extend and improve its capabilities for specific use cases. TimescaleDB builds
on that flexibility to add time-series superpowers to the database and scale
to millions of data points per second and petabytes of data.Why cyber security can’t just say “no“
Ultimately, IT security is all about keeping the company safe from damages —
financial damages, operational damages, reputational and brand damages. You’re
trying to prevent a situation that not only will harm the company’s
well-being, but also that of its employees. That is why we need to explain the
actual threats and how incidents occur. Explain what steps can be taken to
lower the chances and impact of those incidents occurring and show them how
they can be part of that. People love learning new things, especially if it
has something to do with their daily work. Explain the tradeoffs that are
being made, at least in high-level terms. Explain how quickly convenience,
such as running a machine as an administrator, can lead to abuse. Not only
will the companies appreciate you for your honesty, but they will have the
right answer the next time the question comes up. They’ll think along the
constraints and find new ways of adding value to the business, while removing
factors from their daily work that might result in one less incident down the
line.Quote for the day:
"Real leadership is being the person others will gladly and confidently follow." -- John C. Maxwell
