September 08, 2023

Peril vs. Promise: Companies, Developers Worry Over Generative AI Risk

One widespread concern over AI is that the systems will replace developers: 36% of developers worry that they will be replaced by an AI system. Yet the GitLab survey also gave more weight to arguments that disruptive technologies result in more work for people: Nearly two-thirds of companies hired employees to help manage AI implementations. Part of the concern seem to be generational. More experienced developers tend not to accept the code suggestions made by AI systems, while more junior developers are more likely to accept them, Lemos says. Yet both are looking to AI to assist them with the most boring work, such as documentation and creating unit tests. "I'm seeing a lot more developers raising the idea of having their documentation written by AI, or having test coverage written by AI, because they care less about the quality of that code, but just that the test works," he says. "There's both a security and a development benefit in having better test coverage, and it's something that they don't have to spend time on."

Feds Urge Immediately Patching of Zoho and Fortinet Products

CISA found that beginning in January, multiple APT groups separately exploited two different critical vulnerabilities to gain unauthorized access and exfiltrate data from the organization. Both of the unrelated flaws - CVE-2022-47966 in Zoho ManageEngine and CVE-2022-42475 in Fortinet FortiOS SSL VPN - have been classified as being of critical severity, meaning they can be exploited to remotely execute code, allowing attackers to take control of the system and pivot to other parts of the network. Each of the vendors issued updates patching their flaws in late 2022. Researchers refer to these as N-day vulnerabilities, meaning known flaws, as opposed to zero-day vulnerability for which no patch is yet available. The alert, issued by CISA, the FBI and U.S. Cyber Command's Cyber National Mission Force, includes details of how attackers used each of the flaws to gain wider access to victims' networks. The advisory doesn't state which nation or nations' APT groups have been tied to known exploits of these flaws.?

Scrum Master Skills We Rarely Talk About: Change Management

The initial stride towards constructing a "compelling case for change" is the vision of the type of Organization we aspire to become. It's crucial to emphasize that the organization's mode of operation should never serve as the ultimate goal in itself. Rather, it serves as a supplementary element that "enables" the organization in the pursuit of its objectives. This, in turn, gives rise to the necessity for change, marking the starting point of the entire process. A clearly expressed need for change (or the response to the question "Why exactly?") opens the gateway to the subsequent consideration: how should our Organization function to realize its goals? This is what we refer to as the Ideal State. Once we've defined the Ideal State of the organization, we can precisely articulate the exact optimizations required, alongside the pivotal indicators we will employ to monitor our progress throughout the change process. The Optimization Goal acts as our compass, guiding the direction of change or indicating precisely what adjustments need to be made.

Cloud first is dead—cloud smart is what’s happening now

Cloud smart involves making the best use of cloud concepts whether they are on premises or off and fundamentally making the most rational choice of locality as part of the thinking. A cloud smart architectural approach is essential because it enables enterprises to optimize their on-premises IT infrastructure and leverage the benefits of the cloud as well. With cloud smart architecture, enterprises can design and deploy highly available, scalable, and resilient solutions that have cloud operating characteristics to adapt to their changing business needs. After the initial rush to public cloud, this belated dose of reality is a positive. It reflects the recognition that there needs to be a smarter balance right between what's on premises vs. what's in the public cloud. Knowing how to strike the right balance—with the understanding that not every application is meant for the cloud—can ensure that you optimize performance, reliability, and cost, driving better long-term outcomes for your organization.

Are We Ready for a World Without Passwords?

Passwordless authentication simply means eliminating passwords. FIDO Alliance introduced FIDO2, a universally accepted authentication protocol offering frictionless, phishing-resistant, passwordless authentication. FIDO2 allows users to authenticate a web, SaaS, or mobile application using native device biometrics or PIN from their laptop, desktop or mobile phone. The user can access any application with a simple swipe on the fingerprint reader, a face nod to the camera or by entering a static PIN on their device. FIDO2 passwordless authentication is MFA by default and phishing resistant since the attacker needs physical access to the device and also access to the user’s PIN or biometrics. FIDO2 uses cryptographic keys (public and private) where the private key and the user’s biometric data do not leave the user’s device, thereby protecting the user’s privacy. It also prevents user activity tracking across services since a unique set of credentials is generated for each service.?

Is Security a Dev, DevOps or Security Team Responsibility?

Security is not the job of any one group or type of role. On the contrary, security is everyone’s job. Forward-thinking organizations must dispense with the mindset that a certain team “owns” security, and instead embrace security as a truly collective team responsibility that extends across the IT organization and beyond. After all, there is a long list of stakeholders in cloud security, including: Security teams, who are responsible for understanding threats and providing guidance on how to avoid them;?Developers, who must ensure that applications are designed with security in mind and that they do not contain insecure code or depend on vulnerable third-party software to run; ITOps engineers, whose main job is to manage software once it is in production and who therefore play a leading role both in configuring application-hosting environments to be secure and in monitoring applications to detect potential risks; DevOps engineers, whose responsibilities span both development and ITOps work, placing them in a position to secure code during both the development and production stages.

Read more here ...