How cloud-native apps and microservices impact the development process
One of the more important coding disciplines in object-oriented programming and
SOA is code refactoring. The techniques allow developers to restructure code as
they better understand usage considerations, performance factors, or technical
debt issues. Refactoring is a key technique for transforming monolithic
applications into microservices. Refactoring strategies include separating the
presentation layer, extracting business services, and refactoring databases.
Robin Yeman, strategic advisory board member at Project and Team, has spent most
of her career working on large-scale government and defense systems. Robin
concedes, “The largest technology barriers to utilizing agile in building or
updating complex legacy systems are the many dependencies in the software
architecture, forcing multiple handoffs between teams and delays in delivery.”
Robin suggests that refactoring should focus on reducing dependencies. She
recommends, “Refactoring the software architecture of large legacy systems to
utilize cloud-native applications and microservices reduces dependencies between
the systems and the teams supporting them.”
Web3 Architecture and How It Compares to Traditional Web Apps
According to Kasireddy, backend programming for a dapp is entirely different
than for a traditional web application. In Web3, she writes, “you can write
smart contracts that define the logic of your applications and deploy them onto
the decentralized state machine [i.e. the Ethereum blockchain].” Web servers and
traditional databases, in this paradigm, are no longer needed — since everything
is done on, or around, the blockchain. She notes a bit later in the post that
“Smart contracts are written in high-level languages, such as Solidity or
Vyper.” Solidity was partly inspired by ECMAScript syntax, so it has some
similarities to JavaScript (but is very different in other ways). As for the
frontend, that “pretty much stays the same, with some exceptions,” writes
Kasireddy. ... There are also complications when it comes to “signing”
transactions, which is the cryptographic process that keeps blockchains secure.
You need a tool like MetaMask to handle this.
UEFI threats moving to the ESP: Introducing ESPecter bootkit
Even though Secure Boot stands in the way of executing untrusted UEFI binaries
from the ESP, over the last few years we have been witness to various UEFI
firmware vulnerabilities affecting thousands of devices that allow disabling
or bypassing Secure Boot. This shows that securing UEFI firmware is a
challenging task and that the way various vendors apply security policies and
use UEFI services is not always ideal. Previously, we have reported multiple
malicious EFI samples in the form of simple, single-purpose UEFI applications
without extensive functionality. These observations, along with the concurrent
discovery of the ESPecter and FinFisher bootkits, both fully functional UEFI
bootkits, show that threat actors are not relying only on UEFI firmware
implants when it comes to pre-OS persistence, but also are trying to take
advantage of disabled Secure Boot to execute their own ESP implants. We were
not able to attribute ESPecter to any known threat actor, but the Chinese
debug messages in the associated user-mode client component leads us to
believe with a low confidence that an unknown Chinese-speaking threat actor is
behind ESPecter.
Business Leadership Changed: The New Skills You Must Master
Strategic plans are important to achieving your vision, but they can't be set
in stone either. The pandemic was an unforeseen situation that took all
companies in the world by surprise. Consequently, it is important to be ready
to turn, change course quickly, and try to affect the entire organization as
little as possible. ... People are inherently social creatures. It should come
as no surprise then that we long to feel connected to the people we spend most
of our time with. So how can we, as business leaders, help these connections
occur between employees? Gregg Lederman is a bestselling author focused on
employee interaction. After a long investigation he discovered 3 things that
people need at work to feel completely fulfilled: The Need for
Recognition: People have a need to be recognized for the skill and perspective
they bring and for the challenges they have accomplished; The need for
respect: People want to be respected for who they are as individuals and
professionals and how they contribute to the team; The need for
relationships: People want satisfying relationships with the people they work
with.
Encrypted & Fileless Malware Sees Big Growth
“This malware family uses PowerShell tools to exploit various vulnerabilities
in Windows,” according to the firm. “But what makes it especially interesting
is its evasive technique. WatchGuard found that AMSI.Disable.A wields code
capable of disabling the Antimalware Scan Interface (AMSI) in PowerShell,
allowing it to bypass script security checks with its malware payload
undetected.” ... In just the first six months of 2021, malware detections
originating from scripting engines like PowerShell had already reached 80
percent of last year’s total script-initiated attack volume. At its current
rate, 2021 fileless malware detections are on track to double in volume year
over year. “Malicious PowerShell scripts have been known to hide in the memory
of the computer and already use legitimate tools, binaries and libraries that
come installed on most Windows systems,” explained the report. “That is why
attackers have increased their use of this technique, called living off the
land (LotL) attacks. Using these methods, a vaporworm might make its script
invisible to many antivirus systems that don’t inspect the scripts or systems’
memory.”
What if Chrome broke features of the web and Google forgot to tell anyone?
Earlier this year Chrome developers decided that the browser should no longer
support JavaScript dialogs and alert windows when they're called by
third-party iframes. That means that if something is embedded from another
website, let's say a YouTube video, Chrome wants to stop allowing that
embedded content to call the JavaScript alert function, which opens a small
alert window. Eventually Chrome aims to get rid of alert windows altogether.
So what happens when Chrome does this? At first nothing because it's an
obscure entry in a bug tracker – CC'd to the Web Hypertext Application
Technology Working Group (WHATWG) – that Chromium and other browser engineers
read. ... You know what isn't happening here? No substantial public
discussion happens, certainly not with builders of websites. Google puts its
idea forward as bug reports, some folks at Apple working on WebKit and at
Mozilla working on Firefox are invited to agree with it in a WHATWG GitHub
thread and Bugzilla discussion, and they do. Google gets what it wants and the
web breaks.
The Shortfalls of Mean Time Metrics in Cybersecurity
As a measurement standard, mean times are a legacy paradigm brought over from
call centers many eons ago. Over the years, cybersecurity leaders adopted
similar metrics because IT departments were familiar with them. In today's
reality, mean times don't map directly to the type of work we do in
cybersecurity, and we can't entirely generalize them to be meaningful
indicators across the attack lifecycle. While these averages might convey
speed relative to specific parts of the attack lifecycle, they don't provide
any actionable information other than potentially telling you to hurry up. In
the best-case scenario, MTTX becomes a vanity metric that looks great on an
executive dashboard but provides little actual business intelligence. ... The
fastest MTTX is not worth anything if it measures the creation of an
inaccurate alert. We want mean time metrics to tell us about actual alerts, or
true positives and not be skewed by bad data. So, you might be thinking, "how
does an untuned MTTX tell you about the quality of work your security provider
does, or how safe it makes your systems?"
How Non-Fungible Tokens Work: NFTs Explained, Debunked, and Legitimized
In a real marketplace, even if the property is intellectual property (such as
a patent or copyright, whose form can be entirely digital), there will
likewise need to be a contractual transfer of the rights to that intellectual
property to a new party, with the transfer again having the full endorsement
and power of law behind it. For instance, if in making an intellectual
property purchase, I acquire the copyright to a picture, even a digital
picture, the real market that operates in our society ensures that the
transfer is subject to its laws and strictures. Through my purchase, I will
own the picture in a real sense and can take legal action against anyone who
tries to infringe on my copyright (such as by posting it on a blog without my
permission). By contrast, the concept of owning an NFT on a blockchain is
specific to the blockchain with no legal force in the society at large.
Suppose I snap a digital photo. Because I’m the one who snapped the photo, US
law agrees that I own the copyright to it.
WebAssembly: The Future of Cloud Native Distributed Computing
In its own right, WebAssembly brings new capabilities and additional security
features to modern development environments — both in the browser and with
cloud native. However, modern cloud native developers are confronted with new
challenges, such as CPU diversity, multiple operating environments, security,
distributed application architecture, and scalability, that transcend
deployments into a single public cloud provider. To understand the modern
distributed computing environment, one must consider the rising diversity
inside the public cloud, where we see new ARM CPUs challenging the historical
dominance of the x86 chipsets, competing on both cost and performance.
Traditional enterprise systems typically compile software to a specific
development environment including a CPU and an operating system, such as
Linux-32 bit, MacOS-ARM64, or Windows-64bit. Looking past the public cloud
towards the edge, we find an even more diverse range of execution environments
on an assorted set of CPU architectures.
Post-Quantum: Bi-Symmetric Hybrid Encryption System
A significant difference from commonly employed asymmetric encryption is that
during the initial handshake to set up communication, no vulnerable data are
exchanged. Should the sender key communication be intercepted by a hacker,
they still cannot pretend to be the originator of the communication to the
receiver. The encryption itself is achieved by randomly generating keys and
interweaving them with portions of unencrypted data to be transmitted, applied
to single bytes of data rather than long byte collections. During the initial
handshake, private keys are generated from or found in the form of login
credentials, credit card information, biometric data, or other personal
credential information or pre-shared private keys. The private keys are used
to start the handshake and are never actually transmitted. Randomly generated
data in the form of challenge codes, counter challenge codes and session keys
are exchanged during the handshake. This allows for the client and server to
ascertain that the communicator, at the other end, are who they say they are.
Quote for the day:
"Leaders who won't own failures become failures." --
Orrin Woodward
