What we need to take away from the XZ Backdoor
We might also define an “Enterprise Attack Surface” that not only consists of all systems and networks in that organization but also the exposure of third parties. This includes everyone in the enterprise “ecosystem” including major customers, vendors, and perhaps government agencies. (Recall that in the case of the Target breach, the exploit came
... See moreStuart McClure • How to Measure Anything in Cybersecurity Risk
What are some ways you can mitigate this? Note, we won’t go into too much depth on this here, but some things to consider are:
• putting a governance framework around it
• having strong security processes
• developing for failure – testing to see how it can be broken and fixing during development
• checking data is encrypted in transit and at rest
• acc
instructure.com • 2.6.4 AI security and hacking
Figure 1 connects each attack class with the capabilities required to mount the attack. For instance, backdoor attacks that cause integrity violations require control of training data and testing data to insert the backdoor pattern. Backdoor attacks can also be mounted via source code control, particularly when training is outsourced to a more powe
... See moreApostol Vassilev • Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations
As software engineers and architects our job is to try to use our technical and logical thinking skills to identify which is which and to challenge those that are not useful. Which activities help us to really be secure and which are outdated or simply useless “security theatre”? If we don’t do this then all security activities will be devalued and
... See moreMurat Erder • Continuous Architecture in Practice: Software Architecture in the Age of Agility and DevOps (Addison-Wesley Signature Series (Vernon))
Companies' cultures need to change. You need to become concerned about every new piece of software, every new connection and every new piece of data -- whether or not you're required by law to care. If some piece of software doesn't contribute to your core business, don't allow it. If some new Internet-connected service isn't part of your mission,
... See moreDon Jones • Creating a Culture of Security
In the end, the fragile balance of open source—that unlikely blend of personalities and incentives that has driven tech’s innovation engine throughout the 21st century—won’t be upset by the odd state actor, or by malicious spam, or whatever scary new thing The Register is up in arms about tomorrow. It can only be disrupted when the community comes ... See more