March 13, 2022
Kannan Subbiah
FCA | CISA | CGEIT | CCISO | GRC Consulting | Independent Director | Enterprise & Solution Architecture | Former Sr. VP & CTO of MF Utilities | BU Soft Tech | itTrident
APIs add to an organization’s attack surface, so it’s important to know where they are used. Gartner estimates that roughly 90% of web apps will soon have more of their exposed attack surface area accounted for by APIs as opposed to their own interfaces. Indeed, in 2021, malicious traffic around APIs grew by nearly 350%. Despite these trends, API use only continues to grow. Gone are the days of monolithic applications. Modern enterprise web applications are built with coupled services that communicate through APIs galore, and each component is a target for attackers if left unchecked. Pair that widened attack surface with the insane growth of APIs, and the need for strong API security is clear. Organizations need to cover their entire attack surface by implementing automated and accurate scans via user interfaces and APIs if they want to eliminate potential weak spots before they become problems. Put simply, security debt is an organization’s total inventory of unresolved security issues. These issues have a wide variety of sources, including knowledge gaps, inadequate tooling or cutting corners during testing in the race to market.
First and foremost, the frontend code operates in an insecure environment: a user’s browser. SPAs often possess a refresh token that grants offline access to a user’s resources and can obtain new access tokens without interaction from the user. As these credentials are readable by the SPA, they are vulnerable to cross-site scripting (XSS) attacks, which can have dangerous repercussions such as attackers gaining access to users’ personal data and functionalities not normally accessible through the user interface. As the online data pool grows and hackers become more sophisticated, security must be taken seriously to protect customers’ information and businesses’ reputations. However, designing security solutions for SPAs is no easy feat. As well as the strongest browser security and simple and reliable code, software developers must consider how to deliver the best user experience – wrapping all this into a solution that can be deployed anywhere. The SPA’s web content can be deployed to many global locations via a Content Delivery Network (CDN). Web content is then close geographically to all users so that web downloads are faster.
In addition to CSR, there has been much excitement about the future of AI in anti-corruption work. AI has increasingly become a part of our daily lives, from digital assistants like Siri and Alexa, to self-driving cars like Teslas and ride-hailing applications like Uber. Given that AI has been useful in so many ventures, anti-corruption scholars are eager to apply it to their work. In fact, AI has been described as “the next frontier in anti-corruption.” ... However, AI and anti-corruption discussions so far have mostly focused on governmental efforts to address corporate corruption, not on companies using AI to mitigate corporate corruption — even though many of them already use AI to maximize profit. In the corporate anti-corruption context, AI can provide companies with a proposed investment destinations or transactions and help detect corruption risks in such ventures and improve due diligence processes. AI can also provide more information for yearly anti-corruption policy reviews and assist in designing training based on AI analyses of company processes, reports and operations.
领英推荐
Another concept, which resonates well is data products. Managing and providing data as a product isn't the extreme of dumping raw data, which would require all consuming teams to perform repeatable work on data quality and compatibility issues. It also isn't the extreme of building an integration layer, using one (enterprise) canonical data model with strong conformation from all teams. Data product design is a nuanced approach of taking data from your (complex) operational and analytical systems and turning it into read-optimized versions for organizational-wide consumption. This approach of data product design comes with lots of best practices like aligning your data products with the language of your domain, setting clear interoperability standards for fast consumption, capturing it directly from the source of creation, addressing time-variant and non-volatile concerns, encapsulating metadata for security, ensuring discoverability, and so on. More of these best practices you can find here.
The metaverse has a mostly positive impact on brands, but there are still some loopholes that worry them. For instance, the French champagne Armand de Brignac has recently filed trademark applications to register the appearance of its gold bottle packaging in virtual reality, augmented reality, video, social media and the web. Like this, many brands have established identities when it comes to product and packaging. Since this alternate reality is a fairly new territory to brands, it is difficult for them to gauge if a product or its packaging has distinctiveness outside the metaverse. Even if it does, it is unclear whether those rights will be sufficient to claim infringement inside the metaverse. Among other concerns, the metaverse also brings issues regarding privacy and security risks to light. Being an online-enabled space, it is uncertain whether consumers and brands may face new and unknown privacy and authenticity issues. The rise of the metaverse is just like that of the internet – former Amazon strategist Matthew Ball estimates that by 2027, every company will be a gaming company, implying that the metaverse will soon become a normal part of people’s lives.
The right of access has a broad scope: in addition to basic personal data, according to the EDPB it also includes, for example, subjective notes made during a job application, a history of internet and search engine activity, etc. Unless explicitly stated otherwise, the request must be understood to relate to all personal data relating to the data subject, but the controller may ask the data subject to specify the request if it processes a large amount of data. This applies to each request: if a data subject makes more than one request, it would therefore not be sufficient to provide access only to the changes since the last request. Even data that may have been processed incorrectly or unlawfully should be provided. Data that has already been deleted, for example in accordance with a retention policy, and is therefore no longer available to the controller, does not need to be provided. Specifically, the controller will have to search all IT systems and other archives for personal data using search criteria that reflect the way the information is structured, for example, name and customer or employee number.