CodeIsGo.com

James Watters, CTO for Modern Apps at VMware, gave a compelling talk at Cloud Native Security Day on what he called “modern least privilege.” The basic concept is to apply the principle of least privilege across the DevSecOps lifecycle to properly secure modern apps. By Kit Colbert @VMware, Cloud CTO.

Modern apps are more complicated than traditional apps – they have greater scale, change faster, are more distributed (i.e., no traditional security perimeter). While it may seem like this would make it more difficult to secure them, many of the innovations in the cloud native development space, when properly leveraged, can make many aspects of security easier by automating them and making them the default/easy option.

There are several principles of cloud native architecture that underpin the 3 Rs (Repair, Repave, Rotate):

• Immutability
• Ephemerality
• Ephemeral identity
• Event-driven vulnerability management
• DevX as control (Shift left + DevX)

Delivering a great developer experience means allowing the developer to focus on their business logic. Developers should be thinking about security, but ideally the DevSecOps platform just handles most of it for them. I.e. the security controls, as much as possible, are just built in.

We have an exciting opportunity to dramatically improve security in our enterprise applications by embracing these principles of modern least privilege. Good read!

How to close the cybersecurity skills gap? Here’s a novel idea: pay security professionals better. By Jessica Lyons Hardcastle.

This simple fix could help address a decade-old problem, according to this year’s The Life and Times of Cybersecurity Professionals report, which found 38% of respondents believe that lack of competitive compensation is the No. 1 reason for the skills shortage.

Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) conducted research for their fifth annual report earlier this year. It’s based on data from a global survey of 489 cybersecurity professionals.

The report could be split into:

• Companies aren’t investing in people
• Cybersecurity training gap
• Build relationships across the business
• Advice for entry-level professionals

The top piece of advice (49%) was to get a basic cybersecurity certification, followed by join a professional industry organization (42%), and find a mentor (36%). Additionally, 29% recommend specializing in a particular cybersecurity area. Interesting read!

The best outcome from a well-executed cyber security strategy should be that a business experiences no change or disruption to their operations or systems in the case of an external threat. By Martin Riley.

While avoidance of damage from cyber attacks should arguably be seen as justification for cyber security investment alone, if the outcome is invisible, the risk is that this investment comes under the spotlight and its validity called into question.

The article in terms of cyber security investment then describes:

• Define your strategy
• Demonstrate competitive advantage
• Maximise your technology investment
• Gaining confidence from the board

Maximising your cyber security investment is crucial to demonstrating ROI. There are tangible ways you can achieve this by driving greater efficiencies – and one area ripe for improvement is reducing the time it takes to cut through the noise created by outdated technologies, particularly when it comes to monitoring and response. Good read!

This series of blog posts uses the AWS Well-Architected Tool with the Serverless Lens to help customers build and operate applications using best practices. In each post, I address the serverless-specific questions identified by the Serverless Lens along with the recommended best practices. By Julian Wood.

Source: https://aws.amazon.com/blogs/compute/building-well-architected-serverless-applications-regulating-inbound-request-rates-part-1/

The article pays attention to:

• Throttle inbound request rates using steady-rate and burst rate requests
• Identify steady-rate and burst rate requests that your workload can sustain at any point in time before performance degraded

Regulating inbound requests helps you adapt different scaling mechanisms based on customer demand. You can achieve better throughput for your workloads and make them more reliable by controlling requests to a rate that your workload can support. Nice one!

I have seen some interesting rebuttals, most commonly: Safari is actually protecting the web, by resisting adding unnecessary and experimental features that create security/privacy/bloat problems. That is worth further discussion, because it’s widespread, and wrong. By Tim Perry.

The article makes plenty of good points summarised under:

• Safari is killing the web by omitting easy safe features
• Safari is killing the web through show-stopping bugs
• Safari is killing the web by ignoring proposed new APIs

The health of the browser ecosystem affects everybody. There are two clear parallels with the past here:

• The slow death of IE: by offering web developers fewer bugs, better tools and more features while IE stagnated, Firefox built enough developer goodwill to dramatically expand its marketshare against the odds, forcing IE (later Edge) to follow its lead.
• WebExtensions: despite every browser previously offering their own add-on APIs, Chrome effectively dominated developer mindshare, provided more powerful & easier to use extension APIs that became far more popular, and both Firefox & Safari have eventually killed their own APIs and accepted Chrome’s, unintentionally allowing Google to unilaterally set the web extension standard.

For more follow the link to the full article. Well worth your time!

There are many languages that support both functional and object-oriented programming (OOP) such as Javascript, C#, Scala … In my case, learning functional programming (FP) from OOP experience creates some confusion on how to best use functional and OOP together. By Thang Le.

One of the main advantages of FP is providing a clean and concise way to represent business logic. Pure functions are easily tested and organized. Thus in the programming languages that support both FP and OOP, the main mean to tackle business puzzles should primarily be functions.

The article content is split into:

• Functions for logic and objects for modularity
• Separating domain models and business logic
• Immutability in pure functions

Good code structure increases development velocity, reduces the amount of bugs and prevent application growth of complexity. Understanding all aspects of business domain is a prerequisite for well-organized codebase. Thus investing time to learn about the domain you are working on will certainly bring great benefits. Good read!

Customers require an easy process to gather the data from these various products and communicate it for monitoring and analysis. That is the basis for where and why telemetry was created. By logicmonitor.com.

In the world of software development and application monitoring, telemetry is one of the latest ways to keep track of the progress of the software. Telemetry helps the developers stay aware of the performance of the software and notifies them if a problem occurs with the application.

The article also reads about:

• Introduction to telemetry
• What does telemetry mean for application monitoring?
• How does telemetry work?
• Benefits of telemetry

Telemetric analysis has made quite an impact in the world of software development. It has made the process of making a better application much easier. One thing that should be noted is that since all of the users usually do not sign up for telemetry, the data acquired is not accurate. But various studies show that it is far better than any of the conventional methods. Good read!

Much of the work and focus in the circular economy is based around disrupting standard linear economy business models of “take-make-waste” to ones where higher proportions of resources can be recycled with minimal disposal. Written by Clive Reffell.

Poland, as an example, released its “Roadmap towards the Transition to the Circular Econom” in 2019. Its key aims are to maximise the value of raw materials and resources, and to minimise waste that cannot be re-used or recycled. In particular, Poland has great potential for improvement concerning industrial waste, such as from mining and extraction, industrial processing, and energy production and supply (the primary source of electrical power and heat remains burning coal and lignite).

It’s not that circular economy practices are not or cannot be profitable. But where it makes a difference is how “value” is recognised and measured, what it represents to different stakeholders, when it is measured, and how it is distributed

The article main points:

• Sharing economy
• Beyond tangibles
• Where the circular economy delivers bigger benefits
• Crowdfunding supports circular economy initiatives
• B Corps provide longer term circular economy opportunities
• What next for the circular economy?

We’ve shown examples of circular economy practices used around the world. It is a growing trend as it is vital for regenerative and sustainable growth. For it to go beyond individual and piecemeal efforts there are requirements for industry-wide standards, policies and often a regulatory infrastructure. Nice one!

Labeling training data is the one step in the data pipeline that has resisted automation. It’s time to change that. By Shayan Mohanty and Hugo Bowne-Anderson @oreilly.com.

There are serious challenges with software and models, including the data they’re trained on, how they’re developed, how they’re deployed, and their impact on stakeholders. These challenges commonly result in both algorithmic bias and lack of model interpretability and explainability.

The article does deep dive on:

• Hand labels and algorithmic bias
• Uninterpretable, unexplainable
• On auditing
• The prohibitive costs of hand labeling
• The efficacy of automation techniques

There are no “gold labels”: even the most well-known hand labeled datasets have label error rates of at least 5%. According various papers, by introducing expensive hand labels sparingly into largely programmatically generated datasets, you can maximize the effort/model accuracy tradeoff on SOTA (state of the art) architectures that wouldn’t be possible if you had hand labeled alone. Very interesting read!

Misconfigurations in infrastructure as code (IaC) can be just as dangerous as vulnerabilities in code. Small mistakes in configuration can lead to the sensitive data being readable on the internet, or private endpoints and dashboard accessible to the anonymous users and abused as the initial point of compromise. By Kamil Potrec.

Recent security research findings indicate the rise in malware targeting the Kubernetes platform which showcases the need for secure configuration.

In this series of blog posts, we will look into the default settings used in Amazon Elastic Kubernetes Service (EKS) deployments. We will then demonstrate how small misconfigurations or unwanted side-effects may put our clusters at risk of EKS security issues.

The article covers the following:

• What is Amazon Elastic Kubernetes Service?
• Quick EKS deployment
• Restricting access to Kubernetes API
• Restrict access to the instance metadata service
• Enable logging

Amazon Elastic Kubernetes Service is a managed Kubernetes service. AWS takes responsibility for managing the control plane components of the cluster, and the customer is responsible for managing the worker nodes and cluster resources. Good read!