Launchable’s Post

New research reveals that fewer than 20% of businesses believe their software testing practices are efficient, underscoring vulnerabilities in their IT systems. 🔍 With 85% of companies integrating AI apps into their tech stacks this past year, a staggering 68% have encountered performance and reliability issues. It was highlighted that recent outages, like the one caused by a CrowdStrike update, illustrate the dire need for comprehensive software testing. To avoid critical disruptions and safeguard operations, adopting rigorous testing protocols and incremental deployment strategies is essential. Read more on these insights here: https://heyor.ca/C5BjRF #SoftwareTesting #AI #ITInfrastructure #ARUVI

The so-called 'global IT outage' caused by CrowdStrike is not even a 'rookie' mistake, it is a 'pathetic' failure of the whole IT industry. - CrowStrike: Are you even following the basic SDLC process to test and verify the integrity/security before pushing the updates to millions of computers? We are not talking about complicated software testing, or DevOps, DevSecOps etc., how hard to find 'bluescreen' if you have done some basic test? - Victims Hardly imagine we have so many organizations including bank, airlines etc. leave critical infrastructure on auto-update. Are we not supposed to have a couple of VMs running on test environment to receive some updates, then push to a few computers one day or two days later, then have them installed in your production environment fully? Where is the risk control, or change control? where is the BCP or simple rollback plan? How hard for you to stop third-party updates to get into your system @Friday afternoon? We don't need genius to do that. There are thousands of IT standards/Procedure online to help you to achieve the simple goal, free. - Government It's time to have legislation/law/compliance/regulation in place to force global IT organizations to make sure they have 'basic' control in place so their services/products meet basic quality requirements, at least not causing 'bluescreen'. The critical infrastructure (bank, energy organization) should be regulated as well regarding how they are running the system to make sure they can survive with incident like this. With the booming of cloud service, SDWAN, and AI, human society is becoming more and more vulnerable to global giant IT organization like Microsoft, Apple, or crowdstrike. Today it's crowstrike, what happens if tomorrow is Microsoft itself? What are we going to do if the warfare is initiated by 'evil state'? Some fundamental IT infrastructure/sevices should be regulated like water plant or power station. we don't want to have polluted/poisoned water to be sent to household, same we don't want to wake up the next day with all our critical instructure got wiped out and we even couldn't get food/money because of the payment system or bank system got 'fu*k' because of 'blue screen of death' which happened since 30years ago.

From enhanced #encryption protocols to intuitive #automation, file transfer technology continues to evolve in 2024. Discover how these innovations are driving transformation and shaping the future of secure data movement. ⤵️

Authentication and authorization can be autonomous capabilities. Many security designs treat identity and access management as dependencies, aka a single points of failure, for all business capabilities. Even modern specifications, such as open policy agent, take this approach. I personally don't think this is needed at all. Authentication, authorization and policy enforcement are independent capabilities that can work autonomous from each other. They exchange information with each other, often in the form of signed or encrypted tokens. The output of authentication is an identity (token). This token serves as input for authorization, resulting in an access decission (access token). This token then serves as input for policy enforcement (usually local to a capability) But nothing prevents policy enforcement from working, even while authentication or authorization would be down. Even more complex models can be autonomous from each other as long as you follow the same idea.

APIs serve are critical bridges between software systems, enabling seamless communication and data exchange. However, the effectiveness of these connections hinges on robust API testing strategies. Here’s why API testing is indispensable and how to excel at it: Why API Testing Matters: > System Stability: Ensures your application can handle requests without crashing, offering a seamless user experience. > Security: Protects against vulnerabilities to attacks such as man-in-the-middle (MITM), DDoS, and cross-site scripting, safeguarding sensitive data. > Performance: Optimizes response times and system efficiency, crucial for user satisfaction and scalability. > Compatibility & Interoperability: Verifies that your API works across different devices, platforms, and systems, essential for today’s diverse tech ecosystem. > Cost-Efficiency: Identifies issues early, reducing the time and resources spent on fixing problems post-deployment.

For those companies affected by Crowd-strike’s inevitable human error, below are a few reasons why software updates must be reviewed and not automatically updated on critical servers and purpose built workstations, e.g,  if you install a faulty driver software you may end up with a BSOD !  Risk of Compatibility Issues: Software conflicts possible. Unexpected Downtime: Sudden disruptions during operations. Deployment Control Challenges: Timing issues arise. Performance Degradation Potential: Slows down server functions. Network Congestion Concerns: Bandwidth overload possible. Configuration Errors Likely: Settings may misalign. Security Patch Oversights: Critical updates missed. Versioning Complications: Incorrect software versions. Resource Allocation Impact: Misallocation affects performance. Dependency Management Issues: Dependencies can conflict. Testing Insufficiencies: Insufficient pre-release evaluation. Customization Limitations Arise: Tailoring becomes restricted. Audit Trail Inadequacies: Compliance record gaps. Backup Strategy Compromised: Backup schedules disrupted. Recovery Plan Disruption: Fault recovery impaired. Regulatory Compliance Risks: Violates regulatory standards ! Vendor Support Challenges: Support may lack. Training & Awareness Needs: Staff awareness low.

Some post-incident thoughts about #CloudStrike now we've had a bit of time to think about it, and a bit more information about the incident itself (https://lnkd.in/emW_rKtd). - As we suspected from the initial report, one serious failing was not having any kind of rollout to internal test systems first to verify the change. - They have a validator for channel data (which is a good thing!) so they assumed that any 'valid' channel data would be okay and didn't need specific testing. For most apps this would probably be ok: likely you'd be able to push unbroken data as another update, and even if it caused a crash on app startup, manual intervention wouldn't be *too* painful (it could be pushed through corporate Windows policy for example). But for a kernel layer app that can take out the OS, this is not good enough. - Applications should be resilient to bad data. Bad data should *never* cause your application to crash uncontrollably (and *especially* not with illegal memory access outside your space entirely). Deserialisation from disk or network should always be resilient of invalid data, including bounds checks and the like. You don't need supreme performance optimisation in this case, you need robustness. - Why are we still hand crafting serialisation solutions in 2024? Especially in an unmanaged language where it's possible to screw it up like this? Is the data in that file really so sensitive you can't use a standard library? (and if so, try encrypting it rather than 'security by obscurity'). Of course we are not all writing kernel level software, and we have different scenarios to consider. But there's some good general principles for everyone doing #AgileSoftwareDevelopment (or even non-Agile #SoftwareDevelopment!) which this reminds us about. - You should have an internal test environment, and everything should get pushed there before it gets pushed live. Including "data only" updates if you push those out to live systems. (For example, we post Recommended Processes to the Preservica Registry when file format signatures change. We test those on our internal systems first.) - Whenever you accept data from outside, even if that data is supposed to be under your control, you should validate it, and deserialisation should be resilient to bad (including deliberately malicious e.g. ZIP bombs) data. - If there's a well tested, widely available solution to your problem, consider using it. My colleagues will tell you that I often like to create things myself, because the available solution doesn't cover the use cases, and that can be fine - but at least do the evaluation. Serialisation of data structures is a well solved problem and I'd be surprised if there isn't a good solution out there which they could use.

The latest update for #Puppetize includes "SOC 2 #Compliance Requirements: Examples, Use Cases + More" and "#CloudNative Security vs. Third-Party Tools: How to Choose

"Starting with a design that is secure is also going to become even more critical as we begin to rely on AI to write software code. AI may well be smart enough to write flawless code based on a software design, but if that design isn't secure, it will build insecure software—potentially at a much greater speed and scale than ever before." Stephen de Vries shared his thoughts with Forbes on the National Security Strategy and what it means to organizations producing "insecure software". https://lnkd.in/eyf38jgF #threatmodeling #securebydesign

𝗧𝗵𝗲 𝗩𝗲𝗿𝗮𝗰𝗼𝗱𝗲 𝗦𝘁𝗮𝘁𝗲 𝗼𝗳 𝗦𝗼𝗳𝘁𝘄𝗮𝗿𝗲 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝟮𝟬𝟮𝟰 𝗿𝗲𝗽𝗼𝗿𝘁 analyzes the prevalence, impact, and management of security debt in software applications, providing data-driven insights and recommendations to improve software security.   Key Takeaways:    - 𝗢𝘃𝗲𝗿 𝟳𝟬% 𝗼𝗳 𝗼𝗿𝗴𝗮𝗻𝗶𝘇𝗮𝘁𝗶𝗼𝗻𝘀 𝗵𝗮𝘃𝗲 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗱𝗲𝗯𝘁, 𝘄𝗶𝘁𝗵 𝗻𝗲𝗮𝗿𝗹𝘆 𝗵𝗮𝗹𝗳 𝗵𝗮𝘃𝗶𝗻𝗴 𝗰𝗿𝗶𝘁𝗶𝗰𝗮𝗹 𝗱𝗲𝗯𝘁.    - Remediation capacity is often limited, with most teams unable to fix more than 𝟭𝟬% 𝗼𝗳 𝗳𝗹𝗮𝘄𝘀 𝗺𝗼𝗻𝘁𝗵𝗹𝘆.    - Prioritizing the remediation of critical security debt can 𝘀𝗶𝗴𝗻𝗶𝗳𝗶𝗰𝗮𝗻𝘁𝗹𝘆 𝗿𝗲𝗱𝘂𝗰𝗲 𝗿𝗶𝘀𝗸 𝗲𝘅𝗽𝗼𝘀𝘂𝗿𝗲.    - 𝗜𝗻𝘁𝗲𝗴𝗿𝗮𝘁𝗶𝗻𝗴 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 into the entire Software Development Life Cycle (SDLC) and fostering developer security competency are crucial for managing security debt.    - Dependency on third-party code introduces significant security challenges, often leading to more persistent flaws.    - 𝗔𝗹 𝘁𝗼𝗼𝗹𝘀 𝗼𝗳𝗳𝗲𝗿 𝗽𝗼𝘁𝗲𝗻𝘁𝗶𝗮𝗹 to scale fix capacity and reduce security debt, particularly for high-severity flaws.    - Proper management and selection of open-source libraries, focusing on 𝗮𝗰𝘁𝗶𝘃𝗲𝗹𝘆 𝗺𝗮𝗶𝗻𝘁𝗮𝗶𝗻𝗲𝗱 and diverse repositories, are vital for securing the software supply chain.   For those interested I can send you a copy of the report in private because Linkedin does not allow me to attach pdfs in a post. #CyberSecurity #SoftwareSecurity #AI #OpenSource #DevSecOps #Tech #SecureCoding #SoftwareDevelopment #ApplicationSecurity #RiskManagement #DeveloperCommunity