How American Express Created an Open Source Program Office
American Express has established an open source program office that gamifies the
safe development of open source code that can be poured back into the community.
“Without the program existing, a lot of people at the company wouldn’t know
about giving back to open source, they wouldn’t see the power in it,” said
Amanda Chesin, software engineer at American Express, during a presentation at
OSFF. The AmEx OSPO started as an informal group of developers trying to
establish a symbiotic relationship with the open source community, said Tim
Klever, vice president of the development experience at AmEx, at the conference.
The first step was to convince the skeptical upper management of the value of
open source. Security issues were the single largest concern among 56% of
executives surveyed by FINOS. That was followed by quality of components,
compliance with external regulations, and licensing of intellectual properties.
... “That’s really when we kind of became official because we had someone to
worry about this stuff and work on it the whole time, even though we only got
[her] for a summer,” Klever said.
Navigating the uncharted waters of the Digital Protection Act 2023: Overcoming unsolicited challenges in the digital realm
Of particular note is the provision for grievance redressal, affording
individuals a legal avenue to hold data fiduciaries accountable. However, in
contrast to the penalties imposed on data fiduciaries for non-compliance, the
Data Protection Board's authority to levy fines on data principals (for
violations of duties not to file frivolous complaints or impersonate others) is
limited to a modest sum of up to ₹ 10,000. This duality poses a significant
concern, as it introduces the possibility of groundless complaints. A successful
complaint can yield a substantial ₹ 200 crore award, while an unsuccessful one
carries a comparatively nominal penalty of ₹ 10,000. This dynamic could lead to
an influx of speculative claims and an environment of undue frustration. There
may be merit in revisiting the penalty structure, aligning it with the sum
initially sought by the complainant to ensure the integrity of the complaint
forum. One notable absence in the Act is the 'right to be forgotten', a
provision in comparable digital data protection legislations like the
GDPR.
Could edge computing unlock AI’s vast potential?
Beyond the increased performance that AI applications demand, a key benefit of
the edge model is reliability and resilience. Consumers have taken to AI, with
73% worldwide saying they trust content produced by generative AI, and 43% keen
for organizations to implement generative AI throughout customer interactions.
Businesses that can’t keep their AI-powered services running will suffer from
declining customer satisfaction and even a drop in market share. When a
traditional data center suffers a power outage – perhaps due to a grid failure
or natural disaster – apps reliant on these centralized data centers simply
cannot function. Edge computing avoids this single point of failure: with
compute more distributed, smart networks can instead use the processing power
nearest to them to keep functioning. There are also benefits when it comes to
data governance. If sensitive data is processed at the edge of the network, it
doesn’t need to be processed in a public cloud or centralized data center,
meaning fewer opportunities to steal data at rest or in transit. ... Finally,
there are cost savings to think about. Cloud service providers often charge
businesses to transfer data from their cloud storage.
Cloud security and devops have work to do
First, they are not given the budget to plug up these vulnerabilities. In some
instances, this is true. Cloud and development security are often underfunded.
However, in most cases, the funding is good or great relative to their peers,
and the problems still exist. Second, they can’t find the talent they need. For
the most part, this is also legit. I figure that there are 10 security and
development security positions that are chasing a single qualified candidate. As
I talked about in my last post, we need to solve this. Despite the forces
pushing against you, there are some recommended courses of action. CISOs should
be able to capture metrics demonstrating risks and communicate them to
executives and the board. Those are hard conversations but necessary if you’re
looking to take on these issues as an executive team and reduce the impact on
you and the development teams when stuff hits the fan. In many instances, the
C-levels and the boards consider this a ploy to get more budget—that needs to be
dealt with as well. Actions that can remove some of this risk include continuous
security training for software development teams.
Windows-as-an-app is coming
Windows App, which is still in beta, will let you connect to Azure Virtual
Desktop, Windows 365, Microsoft Dev Box, Remote Desktop Services, and remote PCs
from, well, pretty much any computing device. Specifically, you can use it from
Macs, iPhones, iPads, other Windows machines, and — pay attention! — web
browsers. That last part means you'll be able to run Windows from Linux-powered
PCs, Chromebooks, and Android phones and tablets. So, if you've been stuck
running Windows because your boss insists that you can't get your job done from
a Chromebook, Linux PC, or Mac, your day has come. You can still run the machine
you want and use Windows for only those times you require Windows-specific
software. Mind you, you've been able to do that for some time. As I pointed out
recently, all the Windows software vendors don't want you to run standalone
Windows applications; they prefer web-based Software-as-a-Service (SaaS)
applications. They can make a lot more money from you by insisting you pay a
monthly subscription rather than a one-time payment. Sure, Microsoft made its
first billions from Windows and the PC desktop, but that hasn't been its
business plan for years now.
Q-Learning: Advancing Towards AGI and Artificial Superintelligence (ASI) through Reinforcement Learning
At its essence, Q-learning is akin to introducing a reward system to a computer,
aiding it in deciphering the most effective strategies for playing a game. This
process involves defining various actions that a computer can take in a given
situation or state, such as moving left, right, up, or down in a video game.
These actions and states are meticulously logged in what is commonly referred to
as a Q-table. The Q-table serves as the computer’s playground for learning,
where it keeps tabs on the quality (Q-value) of each action in every state.
Initially, it’s comparable to a blank canvas – the computer embarks on this
journey without prior knowledge of which actions will lead to optimal results.
The adventure commences with exploration. The computer takes a plunge into
trying out different actions randomly, navigating the game environment, and
recording the outcomes in the Q-table. Think of it as the computer playfully
experimenting and gradually figuring out the lay of the land. Learning from
Rewards forms the core of Q-learning. Each time the computer takes an action, it
earns a reward.
ChatGPT Use Sparks Code Development Risks
Randy Watkins, CTO at Critical Start, advises organizations to build their own
policies and methodology when it comes to the implementation of AI-generated
code into their software development practices. “In addition to some of the
standard coding best practices and technologies like static and dynamic-code
analysis and secure CI/CD practices, organizations should continue to monitor
the software development and security space for advancements in the space,” he
told InformationWeek via email. He says organizations should leverage
AI-generated code as a starting point but tap human developers to review and
refine the code to ensure it meets standards. John Bambenek, principal threat
hunter at Netenrich, adds leadership needs to “value secure code”, make sure
that at least automated testing is part of all code going to production.
“Ultimately, many of the risks of generative AI code can be solved with
effective and thorough mandatory testing,” he noted in an email. He explains as
part of the CI/CD pipeline, ensure mandatory testing is done on all production
commits and routine comprehensive assessment is done on the entire codebase.
6 common problems with open source code integration
Closed source software is typically maintained, updated and patched exclusively
by the software vendors, which can be a big benefit for development teams who
lack the time, resources or expertise to do it themselves. Some open source
platforms receive active support from proprietary software vendors, such as Red
Hat Enterprise Linux and commercial distributions of Kubernetes. For the most
part, however, organizations that deploy open source software are responsible
for ensuring it remains updated. Failure to do so carries the risk of running
outdated code that is buggy or has security vulnerabilities. This challenge is
exacerbated by a lack of centralized management consoles or automated update
processes that can help ensure all the open source components in use are up to
date -- something often highlighted as an advantage of paying the price for
proprietary software suites. This is another reason SCA tools are crucial for
organizations that commit to the open source approach. While these tools don't
provide automated update capabilities, they help the organization track what
open source components exist and what each one's current version is.
More questions for Australia cybersecurity strategy
Fairman believes that strategies are only good if they’re successfully
implemented, and committing to reporting deadlines or processes is a way to
reassure everyone that the government will do its best to stick to its plan. “We
have to consider the financial impact of some of those measures on businesses,
and the costs they will have to bear. The economy is still very much in a
recovery phase, and many businesses will probably need some sort of financial
support to afford cybersecurity upgrades. A cyber-health check for SMBs is
great, but if most can’t afford to fill the identified cybersecurity gaps, the
plan will fail,” added Fairman. ... As the strategy outlined six shields for
cybersecurity, Thompson felt that there could have also been one dedicated
solely to citizen responsibility would have been a useful inclusion. ... On
sharing threat intelligence in the region, Thompson, who is also the former head
of information warfare for the Australian Defense Forces, said that the
government’s strong focus on sovereign industry is something for which he and
others have long campaigned.
AI and contextual threat intelligence reshape defense strategies
Cybersixgill believes that in 2024, threat actors will use AI to increase the
frequency and accuracy of their activities by automating large-scale
cyberattacks, creating duplicitous phishing email campaigns, and developing
malicious content targeting companies, employees, and customers. Malicious
attacks like data poisoning and vulnerability exploitation in AI models will
also gain momentum, which cause organizations to provide sensitive information
to untrustworthy parties unwittingly. Similarly, AI models can be trained to
identify and exploit vulnerabilities in computer networks without detection.
Cybersixgill also predicts the rise of shadow generative AI, where employees use
AI tools without organizational approval or oversight. Shadow generative AI can
lead to data leaks, compromised accounts, and widening vulnerability gaps in a
company’s attack surface. ... The C-suite and other executives will need a
clearer understanding of their organization’s cybersecurity policies, processes,
and tools. Cybersixgill believes companies will increasingly appoint
cybersecurity experts on the Board to fulfill progressively stringent reporting
requirements and conduct good cyber governance.
Quote for the day:
"Remember, teamwork begins by building
trust. And the only way to do that is to overcome our need for
invulnerability." -- Patrick Lencioni
