Category: Technology

Do You Know What’s in Your Supply Chain? The Case for Better Security

Do You Know What’s in Your Supply Chain? The Case for Better Security

I recently read an interesting report by CyCognito on the top 3 vulnerabilities on third-party products and it sparked my interest to reexamine the supply chain risks in software engineering. This article is an attempt at that.

The Vulnerability Trifecta in Third-Party Products

The CyCognito report identifies three critical areas where third-party products introduce significant vulnerabilities:

  1. Web Servers
    These foundational systems host countless applications but are frequently exploited due to misconfigurations or outdated software. According to the report, 34% of severe security issues are tied to web server environments like Apache, NGINX, and Microsoft IIS. Vulnerabilities like directory traversal or improper access control can serve as gateways for attackers.
  2. Cryptographic Protocols
    Secure communication relies on cryptographic protocols like TLS and HTTPS. Yet, 15% of severe vulnerabilities target these mechanisms. For instance, misconfigurations, weak ciphers, or reliance on deprecated standards expose sensitive data, with inadequate encryption ranking second on OWASP’s Top 10 security threats.
  3. Web Interfaces Handling PII
    Applications that process PII—such as invoices or financial statements—are among the most sensitive assets. Alarmingly, only half of such interfaces are protected by Web Application Firewalls (WAFs), leaving them vulnerable to injection attacks, session hijacking, or data leakage.

Beyond Web Servers: The Hidden Dependency Risks

You control your software stack, but do you actually know what runs beneath those flashy Web/Application servers?

Drawing parallels from my previous article on PyPI and NPM vulnerabilities, it’s clear that open-source dependencies amplify these threats. Attackers exploit the very trust inherent in supply chains, introducing malicious packages or exploiting insecure libraries.

For example:

  • Attackers have embedded malware into popular NPM and PyPI packages, which are then unknowingly incorporated into enterprise-grade software.
  • Dependency confusion attacks exploit naming conventions to inject malicious packages into CI/CD pipelines.

These risks share a core vulnerability with traditional third-party systems: an opaque supply chain with minimal oversight. This is compounded by the ever-decreasing cycle-times for each software releases, giving little to no time for even great Software Engineering teams to doa decent audit and look into the dependency graph of the packages they are building their new, shiny/pointy things that is to transform the world.


Why Software Supply Chain Attacks Persist

As highlighted by Scientific Computing World, software supply chain attacks persist for several reasons:

  • Aggressive GTM Timelines: Most organisations now run quarterly or even monthly product roadmaps, so it is possible to launch a new SaaS product in a matter of days to weeks by leveraging other IaaS, PaaS or SaaS systems – in addition to any Libraries, frameworks and other constructs.
  • Exponential Complexity: With organisations relying on layers of third-party and fourth-party services, the attack surface expands exponentially.
  • Insufficient Oversight: Organisations often focus on securing their environments while neglecting the vendors and libraries they depend on.
  • Lagging Standards: The industry’s inability to enforce stringent security protocols across the supply chain leaves critical gaps.
  • Sophistication of Attacks: From SolarWinds to MOVEit, attackers continually evolve, targeting blind spots in detection and remediation frameworks.

Recommended Steps to Mitigate Supply Chain Threats

To address these vulnerabilities and build resilience, organizations can take the following actionable steps:

1. Map and Assess Dependencies

  • Use tools like Dependency-Track or Sonatype Nexus to map and analyze all third-party and open-source dependencies.
  • Regularly perform software composition analysis (SCA) to detect outdated or vulnerable components.

2. Implement Zero-Trust Architecture

  • Leverage Zero-Trust frameworks like NIST 800-207 to ensure strict authentication and access controls across all systems.
  • Minimize the privileges of third-party integrations and isolate sensitive data wherever possible.

3. Strengthen Vendor Management

  • Evaluate vendor security practices using frameworks like the NCSC’s Supply Chain Security Principles or the Open Trusted Technology Provider Standard (OTTPS).
  • Demand transparency through detailed Service Level Agreements (SLAs) and regular vendor audits.

4. Prioritize Secure Development and Deployment

  • Train your development teams to follow secure coding practices like those outlined in the OWASP Secure Coding Guidelines.
  • Incorporate tools like Snyk or Checkmarx to identify vulnerabilities during the software development lifecycle.

5. Enhance Monitoring and Incident Response

  • Deploy Web Application Firewalls (WAFs) such as AWS WAF or Cloudflare to protect web interfaces.
  • Establish a robust incident response plan using guidance from the MITRE ATT&CK Framework to ensure rapid containment and mitigation.

6. Foster Collaboration

  • Work with industry peers and organizations like the Cybersecurity and Infrastructure Security Agency (CISA) to share intelligence and best practices for supply chain security.
  • Collaborate with academic institutions and research groups for cutting-edge insights into emerging threats.

7. Schedule a No-Obligation Consultation Call with Yours Truly

Struggling with supply chain vulnerabilities or need tailored solutions for your unique challenges? I offer consultation services to work directly with your CTO, Principal Architect, or Security Leadership team to:

  • Assess your systems and identify key risks.
  • Recommend actionable, budget-friendly steps for mitigation and prevention.

With years of expertise in cybersecurity and compliance, I can help streamline your approach to supply chain security without breaking the bank. Let’s collaborate to make your operations secure and resilient.

Schedule Your Free Consultation Today

Building a Resilient Supply Chain

The UK’s National Cyber Security Centre (NCSC) principles for supply chain security provide a pragmatic roadmap for businesses. Here’s how to act:

  1. Understand and Map Dependencies
    Organizations should create a detailed map of all dependencies, including direct vendors and downstream providers, to identify potential weak links.
  2. Adopt a Zero-Trust Framework
    Treat every external connection as untrusted until verified, with continuous monitoring and access restrictions.
  3. Mandate Secure Development Practices
    Encourage or require vendors to implement secure coding standards, frequent vulnerability testing, and robust update mechanisms.
  4. Regularly Audit Supply Chains
    Establish a routine audit process to assess vendor security posture and adherence to compliance requirements.
  5. Proactive Incident Response Planning
    Prepare for the inevitable by maintaining a robust incident response plan that incorporates supply chain risks.

Final Thoughts

The threat of supply chain vulnerabilities is no longer hypothetical—it’s happening now. With reports like CyCognito’s, research into dependency management, and frameworks provided by trusted institutions, businesses have the tools to mitigate risks. However, this requires vigilance, collaboration, and a willingness to rethink traditional approaches to third-party management.

Organisations must act not only to safeguard their operations but also to preserve trust in an increasingly interconnected world. 

Is your supply chain ready to withstand the next wave of attacks?


References and Further Reading

  1. Report Shows the Threat of Supply Chain Vulnerabilities from Third-Party Products – CyCognito
  2. Hidden Threats in PyPI and NPM: What You Need to Know
  3. Why Software Supply Chain Attacks Persist – Scientific Computing World
  4. Principles of Supply Chain Security – NCSC
  5. CyCognito Report Exposes Rising Software Supply Chain Threats

What’s your strategy for managing third-party risks? Share your thoughts in the comments!

How Top Universities Fuel Startups with Venture Capital

How Top Universities Fuel Startups with Venture Capital

Top Universities Driving Global Startups Through Venture Capital: A Data-Backed Overview

Universities play a pivotal role in nurturing talent and fostering innovation, and the success of alumni-founded startups is a testament to the entrepreneurial culture present in these institutions. A recent analysis of venture capital funding across top universities reveals the strong influence of academic ecosystems on startup success. This article dives into the top 50 universities based on the venture capital raised by their alumni, explores key geographical trends, highlights key sectors, and references publicly available data to give a comprehensive view.

The Global Leaders: U.S. Universities Dominate the Startup Landscape

Key Statistics (U.S.):

  • Total Dollars Raised: $194 billion
  • Number of Companies Founded: 4,000+
  • Key Sectors: Technology, Healthcare, FinTech, SaaS, AI

According to Crunchbase and PitchBook data, U.S. universities such as Stanford University, Harvard University, and the University of California, Berkeley lead the pack in terms of venture capital raised and the number of companies founded. These institutions have produced successful ventures in technology, artificial intelligence, and SaaS (Software as a Service). Stanford’s proximity to Silicon Valley has helped drive the innovation boom, particularly in tech startups.

Some of the most notable startups originating from these institutions include:

  • Stanford University: Renowned for its close ties to Silicon Valley, Stanford is the birthplace of giants like Google (founded by Larry Page and Sergey Brin), Yahoo (founded by Jerry Yang and David Filo), and WhatsApp (co-founded by Brian Acton).
  • Harvard University: With alumni like Mark Zuckerberg (co-founder of Facebook) and Bill Gates (co-founder of Microsoft), Harvard is a key player in tech, biotech, and healthcare sectors. Startups like Cloudflare (founded by Matthew Prince) also emerged from Harvard.

Europe: A Growing Hub for Innovation

Key Statistics (Europe):

  • Total Dollars Raised: $23 billion
  • Number of Companies Founded: 500+
  • Key Sectors: FinTech, Healthcare, DeepTech, Renewable Energy

Europe has seen rapid growth in FinTech, deep tech, and renewable energy sectors. INSEAD and Cambridge University stand out as key contributors to the startup ecosystem. According to Dealroom.co, FinTech is particularly dominant, with startups like Revolut and TransferWise leading the way.

INSEAD alumni have raised over $23 billion, with many startups thriving in FinTech and consulting sectors. A standout example is BlaBlaCar, a ridesharing platform co-founded by Frédéric Mazzella that has transformed travel across Europe by offering affordable long-distance ride-sharing options.

University of Cambridge has contributed significantly to deep tech and healthcare innovations, producing companies like Arm Holdings, the semiconductor giant. Mike Lynch, founder of Autonomy, is another Cambridge alumnus who has disrupted the tech industry.

Asia: A Rising Force in the Startup World

Key Statistics (Asia):

  • Total Dollars Raised: $15 billion
  • Number of Companies Founded: 1,200+
  • Key Sectors: Technology, Biotech, E-commerce, Mobility

Asia, led by universities like the National University of Singapore (NUS) and Tsinghua University, is rapidly becoming a hotbed for biotech, e-commerce, and mobility startups. NUS has seen its alumni raise billions in venture capital, particularly in the tech sector. According to TechInAsia, NUS-produced startups like Grab, co-founded by Anthony Tan and Tan Hooi Ling, have dominated the Southeast Asian ride-hailing market.

In China, Tsinghua University has been integral in fostering technological advancements, with alumni like Charles Zhang, founder of Sohu, shaping the Chinese tech landscape. The university has become synonymous with engineering and tech entrepreneurship.

Startups in India: The IIT Ecosystem

Key Statistics (India):

  • Total Dollars Raised: $10 billion
  • Number of Companies Founded: 800+
  • Key Sectors: E-commerce, FinTech, SaaS, Mobility

The Indian Institutes of Technology (IITs), particularly IIT Bombay and IIT Delhi, are pivotal in India’s e-commerce, FinTech, and mobility sectors. According to Inc42, startups like Flipkart (co-founded by Sachin Bansal and Binny Bansal, both IIT Delhi graduates) and Zomato (Founded by Deepinder Goyal, IIT Delhi) are reshaping the Indian market and attracting substantial venture capital.

Israel: A Thriving Startup Nation

Key Statistics (Israel):

  • Total Dollars Raised: $8 billion
  • Number of Companies Founded: 600+
  • Key Sectors: Cybersecurity, AI, FinTech, Defense Tech

Israel, often referred to as the Startup Nation, has made a name for itself with innovation in cybersecurity and AI. Universities like the Hebrew University of Jerusalem and the Technion – Israel Institute of Technology have been critical in producing world-class startups. For instance, Waze, the navigation app acquired by Google, was co-founded by Ehud Shabtai, an alumnus of Tel Aviv University. The country’s deep focus on cybersecurity is also reflected in companies like Check Point Software Technologies, founded by Gil Shwed, a Technion graduate.

South Africa: Emerging in FinTech and E-commerce

Key Statistics (South Africa):

  • Total Dollars Raised: $3 billion
  • Number of Companies Founded: 150+
  • Key Sectors: FinTech, E-commerce, Agriculture

While South Africa may not boast the same number of startups as Silicon Valley, it has a growing presence in FinTech and e-commerce. Universities like the University of Cape Town have played a significant role in this growth. One notable company is Yoco, a FinTech startup co-founded by Katlego Maphai, which provides payment solutions for small businesses across Africa. South Africa is also a key player in agri-tech, with startups focusing on modernizing the agricultural supply chain.

South America: A Rising Contender in E-commerce and FinTech

Key Statistics (South America):

  • Total Dollars Raised: $5 billion
  • Number of Companies Founded: 500+
  • Key Sectors: E-commerce, FinTech, PropTech

South America, particularly Brazil and Argentina, has seen a significant rise in e-commerce and FinTech startups. Universities like Universidade de São Paulo and Universidad de Buenos Aires have contributed to this burgeoning ecosystem. Companies like MercadoLibre, co-founded by Marcos Galperin (Universidad de Buenos Aires alumnus), are leading the e-commerce revolution in the region, while Nubank, a FinTech unicorn co-founded by David Vélez, is transforming banking in Latin America.

Why Are These Regions Underrepresented in the Data?

While regions like Israel, South Africa, and South America are seeing growth in venture capital-backed startups, the numbers are still significantly smaller compared to the U.S. and Europe. This can be attributed to a smaller pool of venture capital available, fewer universities with established entrepreneurial ecosystems, and the nascent state of the venture capital markets in these regions. However, they are catching up quickly, and with increasing global attention, these regions are likely to play a larger role in the global startup ecosystem in the coming years.

Conclusion

The data paints a clear picture of the crucial role universities play in fostering entrepreneurship and innovation globally. While U.S. institutions like Stanford and Harvard continue to dominate the startup landscape, the rise of universities in Europe, Asia, and emerging regions such as Israel and South America signals a significant shift toward a more diversified and competitive global startup ecosystem. This is no longer just a Silicon Valley story.

European universities are making strides in deep tech and FinTech, while Asian institutions are positioning themselves at the forefront of sectors like e-commerce, mobility, and biotech. These regions, once considered underrepresented in venture capital, are rapidly scaling their entrepreneurial impact, thanks to increasingly robust academic ecosystems, governmental support, and access to global venture networks.

However, as these newer hubs mature, it becomes clear that the presence of an established entrepreneurial culture, combined with strong alumni networks and well-supported innovation hubs, is key to sustaining long-term growth. For universities aspiring to drive the next generation of unicorns, investing in interdisciplinary research, fostering global collaborations, and creating pipelines between academia and industry will be critical in the years ahead.

The entrepreneurial landscape is rapidly evolving, and universities that align themselves with this shift will not only fuel economic growth but will also shape the future of technology, healthcare, and innovation on a global scale. As venture capital continues to flow into emerging markets, the next wave of disruptive startups may very well come from unexpected regions, further diversifying the global innovation economy.

References:

  1. CrunchbaseCrunchbase Venture Capital Database
    Crunchbase is a comprehensive database of startup companies, venture capital firms, and funding rounds, offering insights into global startup ecosystems and venture trends.
  2. PitchBookPitchBook Data
    PitchBook provides detailed reports on venture capital, private equity, and mergers & acquisitions, offering in-depth insights into sector-specific funding and university-driven startups.
  3. Dealroom.coDealroom European Startup Data
    Dealroom is a leading platform for discovering startups, scale-ups, and investment trends, particularly in the European startup ecosystem.
  4. TechInAsiaTech in Asia Startup Data
    A platform dedicated to startup news and insights from Asia, providing information about venture capital, company profiles, and technology trends across the region.
  5. Inc42Inc42 Indian Startup Ecosystem
    Inc42 is a leading source for insights on the Indian startup ecosystem, offering reports on funding, growth trends, and key sectors like FinTech, SaaS, and E-commerce.
  6. CB InsightsCB Insights Global Venture Capital
    CB Insights is a market intelligence platform that tracks venture capital investments, industry insights, and emerging trends, providing data-driven analysis on startups and sectors.
  7. NASSCOMIndian Tech Startup Ecosystem Report
    NASSCOM publishes reports on India’s growing startup ecosystem, covering key sectors, venture capital inflows, and the impact of technology-driven ventures.
  8. TechCrunchTechCrunch Global Startup News
    A leading news outlet for global startup and venture capital news, TechCrunch reports on funding rounds, sector trends, and university-linked startup initiatives.

Further Reading:

  1. “The Startup Playbook: Secrets of the Fastest-Growing Startups from Their Founding Entrepreneurs” by David Kidder
    This book provides insights into how successful entrepreneurs built their startups from scratch, with lessons applicable to university-driven ventures.
  2. “The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses” by Eric Ries
    A fundamental resource for aspiring entrepreneurs, this book explains how to develop successful startups using the Lean methodology, which has been widely adopted by university-driven startups.
  3. “Zero to One: Notes on Startups, or How to Build the Future” by Peter Thiel and Blake Masters
    Peter Thiel’s insights as a co-founder of PayPal and an investor in numerous startups, including Facebook, provide valuable lessons on startup growth and innovation.
  4. “Blitzscaling: The Lightning-Fast Path to Building Massively Valuable Companies” by Reid Hoffman
    This book by LinkedIn co-founder Reid Hoffman focuses on the strategy of rapidly scaling companies, a key concept for university startups aiming for exponential growth.
  5. “Startup Nation: The Story of Israel’s Economic Miracle” by Dan Senor and Saul Singer
    This book dives deep into how Israel became a global leader in innovation, especially in sectors like cybersecurity and defense technology, driven by university programs.
  6. Global Startup Ecosystem Report (GSER) by Startup Genome
    This annual report highlights trends in global startup ecosystems, including the role universities play in driving innovation and venture capital flows.
  7. McKinsey & Company – Venture Capital’s Role in Innovation
    McKinsey’s reports provide a comprehensive overview of how venture capital supports startups and fosters innovation, with special focus on key regions like the US, Europe, and Asia.
Inside the Palantir Mafia: Secrets to Succeeding in the Tech Industry

Inside the Palantir Mafia: Secrets to Succeeding in the Tech Industry

In the world of technology, engineers are not just cogs in a machine; they are the builders, the dreamers, and the ones who solve the problems they see in the world. And sometimes, those solutions turn into billion-dollar businesses. This is the story of the “Palantir Mafia,” a group of former Palantir employees who have left the data analytics giant to found their own startups, just like the famed “PayPal Mafia” that produced companies like SpaceX, YouTube, LinkedIn, Palantir Technologies, Affirm, Slide, Kiva, and Yelp.

1. Introducing the Amazing People from Palantir

The “Palantir Mafia,” akin to the renowned “PayPal Mafia,” comprises former Palantir engineers and executives who left to tackle meaningful problems with technological innovation, creating substantial impact and wealth. Unlike ex-consultants from firms like McKinsey, BCG, or Bain, these tech leaders leverage their deep technical expertise to solve complex issues directly, resulting in profound advancements and successful ventures.

Key Figures and Their Ventures

  1. Alex Karp – Palantir Technologies
    • Former Role: Co-Founder and CEO
    • Company: Palantir Technologies
    • Focus: Data analytics
    • Market Penetration: Widely used across government and commercial sectors
    • Revenue: $1.5 billion annually
    • Capital Raised: $3 billion​ (Wikipedia)​​ (Business Insider)​
  2. Max Levchin – Affirm
    • Former Role: Co-Founder (PayPal, associated with Palantir founders)
    • Company: Affirm
    • Focus: Buy now, pay later financial services
    • Market Penetration: Significant presence in the consumer finance market
    • Revenue: $870 million in fiscal 2021
    • Capital Raised: $1.5 billion
  3. Joe Lonsdale – 8VC
    • Former Role: Co-Founder
    • Company: 8VC
    • Focus: Venture capital firm
    • Market Penetration: Diverse portfolio, influential in tech sectors
    • Assets Under Management: $3.6 billion
  4. Palmer Luckey – Anduril Industries ( could be the blue blooded Musk of 2020-2030s)
    • Former Role: Founder of Oculus VR, associated with Palantir through ventures
    • Company: Anduril Industries
    • Focus: Defense technology
    • Innovation: Developed the Lattice AI platform for autonomous border surveillance and defense applications
    • Market Penetration: Contracts with U.S. Department of Defense and border security agencies
    • Revenue: $200 million annually
    • Capital Raised: $700 million
  5. Garrett Smallwood – Wag!
    • Former Role: Executive roles at other startups before Wag!
    • Company: Wag!
    • Focus: On-demand pet care services
    • Market Penetration: Operates in over 100 cities
    • Revenue: $100 million annually
    • Capital Raised: $361.5 million
  6. Nima Ghamsari – Blend
    • Former Role: Product Manager at Palantir
    • Company: Blend
    • Focus: Mortgage and lending software
    • Market Penetration: Partners with major financial institutions
    • Revenue: Estimated $100 million+ annually
    • Capital Raised: $665 million
  7. Stephen Cohen – Quantifind
    • Former Role: Co-Founder of Palantir
    • Company: Quantifind
    • Focus: Risk and fraud detection using data science
    • Market Penetration: Used by financial services and government sectors
    • Capital Raised: $8.7 million
  8. Vibhu Norby – B8ta
    • Former Role: Engineer at Palantir
    • Company: B8ta
    • Focus: Retail-as-a-service platform
    • Market Penetration: Transforming in-store retail experiences
    • Capital Raised: $113 million
  9. Joe Lonsdale – Addepar
    • Former Role: Co-Founder of Palantir
    • Company: Addepar
    • Focus: Wealth management technology
    • Market Penetration: Manages over $2 trillion in assets
    • Capital Raised: $325 million
  10. Raman Narayanan – SigOpt
    • Former Role: Data Scientist at Palantir
    • Company: SigOpt (acquired by Intel)
    • Focus: Machine learning optimization
    • Market Penetration: Utilized by top tech companies
    • Capital Raised: $8.7 million (before acquisition)

2. Engineers Make Better Founders in the Tech Industry

Unlike ex-consultants from big 3 who may excel in strategy and communication but often lack the technical depth to truly understand the intricacies of building a tech product, these ex-Palantir engineers come armed with both the vision and the technical chops to bring their ideas to life. They’ve spent years wrestling with complex data problems at Palantir, and they’re now taking those hard-won lessons to solve new challenges across a wide range of industries.

Engineers bring a problem-solving mindset that focuses on creating practical, scalable solutions. This technical acumen has allowed former Palantir employees to launch transformative companies that push the boundaries of what’s possible in various industries.

3. Market Penetration and Success of Palantir Alumni

The success of these Palantir alumni is evident through their market penetration and revenue. For instance, Palantir Technologies itself is a major player in the data analytics field, with a revenue of $1.5 billion annually. Affirm, led by Max Levchin, has made significant inroads in the consumer finance market, generating $870 million in revenue in fiscal 2021. Anduril Industries, founded by Palmer Luckey, has secured substantial contracts with the U.S. Department of Defense, contributing to its $200 million annual revenue.

Other successful ventures include Blend, with its deep partnerships with major financial institutions, and Addepar, managing over $2 trillion in assets. These companies not only showcase the technical expertise of their founders but also highlight their ability to penetrate markets and achieve substantial financial success.

4. Engineers vs. Consultants: A Compelling Argument

The technical depth and problem-solving mindset of engineers make them particularly suited for founding and leading tech startups. Their ability to directly tackle complex problems contrasts with the approach of ex-consultants from firms like McKinsey, BCG, or Bain, who often focus more on financial and operational efficiencies.

While consultants excel in operations-heavy startups, where strategic planning, financial management, and operational efficiency are paramount, engineers thrive in tech startups that require innovative solutions and deep technical expertise. The success stories of the Palantir alumni underscore this distinction, demonstrating how their engineering backgrounds have enabled them to drive significant technological advancements and build successful companies.

Conclusion

The Palantir Mafia’s engineers have leveraged their technical expertise to create innovative solutions and successful ventures, driving significant impact across various industries. Their ability to tackle complex problems directly contrasts with the approach of ex-consultants from firms like McKinsey, BCG, or Bain, who often focus more on financial and operational efficiencies. This technical depth has enabled these former Palantir employees to become influential leaders, pushing the boundaries of technology and innovation.

References & Further Reading:

  1. https://www.getpin.xyz/post/the-palantir-mafia
  2. https://www.8vc.com/resources/silicon-valleys-newest-mafia-the-palantir-pack
  3. https://www.youtube.com/watch?v=a_nO6RW7ddQ
  4. https://www.businessinsider.in/the-life-and-career-of-alex-karp-the-billionaire-ceo-whos-taking-palantir-public-in-what-could-be-one-of-the-biggest-tech-ipos-of-the-year/articleshow/78198300.cms
  5. https://en.wikipedia.org/wiki/Alex_Karp
Understanding The Implications Of The Data Breaches At Microsoft.

Understanding The Implications Of The Data Breaches At Microsoft.

Note: I started this article last weekend to try and explain the attack path  “Midnight Blizzard” used and what Azure admins should do to protect themselves from a similar attack. Unfortunately, I couldn't complete/publish it in time and now there is another breach at Microsoft. (🤦🏿) Now, I had to completely redraft it and change the focus to a summary of data breaches at Microsoft and a walkthrough on the current breach. I will publish the Midnight Blizzard defence later this week.
Microsoft Data Breach

The Timeline of the Breaches

  • 20th-25th September 2023: 60k State Department Emails Stolen in Microsoft Breach
  • 12th-25th January 2024: Microsoft breached by “Nation-State Actors”
  • 11th-14th February 2024: State-backed APTs are weaponising OpenAI models 
  • 16th-19th February 2024: Microsoft admits to security issues with Azure and Exchange servers.
Date/MonthBreach TypeAffected Service/AreaSource
February 2024Zero-day vulnerabilities in Exchange serversExchange serversMicrosoft Security Response Center blog
January 2024Nation State-sponsored attack (Russia)Email accountsMicrosoft Security Response Center blog
February 2024State-backed APTs are weaponising OpenAI modelsNot directly impacting MS services
July 2023Chinese Hackers Breach U.S. Agencies Via Microsoft CloudAzureThe New York Times, Microsoft Security Response Center blog
October 2022BlueBleed Data Leak, 0.5 Million user data leakedUser Data
December 2021Lapsus$ intrusionSource code (Bing, Cortana)The Guardian, Reuters
August 2021Hafnium attacks Exchange serversExchange serversMicrosoft Security Response Center blog
March 2021SolarWinds supply chain attackVarious Microsoft products (indirectly affected)The New York Times, Reuters
January 2020Misconfigured customer support databaseCustomer data (names, email addresses)ZDNet
This is a high-level summary of breaches and successful hacks that got reported in the public domain and picked up by tier 1 publications. There are at least a dozen more in the period, some are of negligible impact, and others are less probable

Introduction:

Today, The digital landscape is a battlefield, and even tech giants like Microsoft aren’t immune to cyberattacks. Understanding recent breaches/incidents and their root causes, and effective defence strategies is crucial for Infosec/IT and DevSecOp teams navigating this ever-evolving threat landscape. This blog post dives into the security incidents affecting Microsoft, analyzes potential attack paths, and equips you with actionable defence plans to fortify your infrastructure/network.

Selected Breaches:

  • January 2024: State actors, purported to be affiliated with Russia leveraged password spraying and compromised email accounts, including those of senior leadership. This highlights the vulnerability of weak passwords and the critical need for multi-factor authentication (MFA).
  • January 2024: Zero-day vulnerabilities in Exchange servers allowed attackers to escalate privileges. This emphasizes the importance of regular patching and prompt updates to address vulnerabilities before they’re exploited.
  • December 2021: Lapsus$ group gained access to source code due to misconfigured access controls. This underscores the importance of least-privilege access and regularly reviewed security configurations.
  • Other incidents: Supply chain attacks (SolarWinds, March 2021) and data leaks (customer database, January 2020) demonstrate the diverse threats organizations face.

Attack Paths:

Understanding attacker motivations and methods is key to building effective defences. Here are common attack paths:

  • Social Engineering: Phishing emails and deceptive tactics trick users into revealing sensitive information or clicking malicious links.
  • Software Vulnerabilities: Unpatched software with known vulnerabilities offers attackers an easy entry point.
  • Weak Passwords: Simple passwords are easily cracked, granting access to accounts and systems.
  • Misconfigured Access Controls: Overly permissive access rules give attackers more power than necessary to escalate privileges and cause damage.
  • Supply Chain Attacks: Compromising a vendor or partner can grant attackers access to multiple organizations within the supply chain.

Defence Plans:

Building a robust defense requires a multi-layered approach:

  • Patch Management: Prioritize timely patching of vulnerabilities across all systems and software.
  • Strong Passwords & MFA: Implement strong password policies and enforce MFA for all accounts.
  • Access Control Management: Implement least privilege access and regularly review configurations.
  • Security Awareness Training: Educate employees on phishing, social engineering, and secure password practices.
  • Threat Detection & Response: Deploy security tools to monitor systems for suspicious activity and respond promptly to incidents.
  • Incident Response Planning: Develop and test a plan to mitigate damage, contain breaches, and recover quickly.
  • Penetration Testing: Regularly test your defenses by simulating real-world attacks to identify and fix vulnerabilities before attackers do.
  • Network Segmentation: Segment your network to limit the potential impact of a breach by restricting access to critical systems.
  • Data Backups & Disaster Recovery: Regularly back up data and have a plan to restore it in case of an attack or outage.
  • Stay Informed: Keep up-to-date on the latest security threats and vulnerabilities by subscribing to security advisories and attending industry conferences.

Conclusion:

Cybersecurity is an ongoing battle, but by understanding the tactics employed by attackers and implementing these defence strategies, IT/DevOps admins can significantly reduce the risk of breaches and protect their networks and data. Remember, vigilance and continuous improvement are key to staying ahead of the curve in the ever-evolving cybersecurity landscape.

Disclaimer: This blog post is for informational purposes only and should not be considered professional security advice. Please consult with a qualified security professional for guidance specific to your organization or mail me for an obligation free consultation call.

References and Further Reading:

How to Manage Technical Debt in 2023: A Guide for Leadership

How to Manage Technical Debt in 2023: A Guide for Leadership

In this article, I will summarise effective strategies and best practices to tackle tech debt head-on.

Technical debt is an inevitable reality in software development. But, it can be leveraged just like a financial loan/debt can help you achieve your goals, if managed properly.
It can be used to drive competitive advantage by allowing companies to launch new products and features faster, experiment with new technologies, and improve the scalability and performance of their systems. However, like all loans, it need to be “Repaid” properly and at the right time, failing on it will create a downward spiral.

If you’re not careful, technical debt can quickly become a major burden that slows down development and makes it difficult to add new features or even fix bugs in a timely manner.

We will discuss how to identify technical debt and the signs of poorly managed debt, and then provide a strategy for reducing it. We will also discuss what a healthy level of technical debt looks like and how leaders can use it to their advantage.

Good Tech Debt Vs Bad Tech Debt

Robert Kiyosaki, the author of Rich Dad Poor Dad, famously said:

Bad debt takes money out of your pocket, while good debt puts money in your pocket.

– Robert Kiyosaki

The same is true of tech debt.

Technical debt is the cost of not doing things the right way the first time. Good technical debt is accrued when you make trade-offs to meet deadlines or deliver new features quickly. Bad technical debt is accrued when you make poor decisions or cut corners.

Bad tech debt will probably make your PMs, Sales and CEO happy for a quarter or two. But after that, they will be asking why everything is behind schedule and dealing with customer complaints because things aren’t working properly.

Now that I have presented the obvious in a familiar “Quadrant”, you can actually skip the terminologies and definitions part of this article! 😀

For my verbal brethren, Which is the Tech Debt you’d need to ruthlessly hunt down to extinction? Obviously, it is the untracked, undocumented ones. And the ones which are dragging your team on a downward spiral (immaterial of whether it is tracked or not)

Why does your Tech Debt keep accumulating?

Before we can think about building a strategy to solve tech debt, we need to understand how it gets out of control in the first place.

It’s called “impact visibility”.

Fixing code debt issues is impossible if:

1, You’ve no record of what technical debt issues you have

2, You’ve got a backlog, but you can’t see which issues are related to what code

In both cases, you can’t prioritise tech debt over shipping new features.

We need to get more granular about what impacts these two tech debt cases above.

  • Issue invisibility — There’s no source of shared knowledge. Codebase health info is locked in (few) engineers’ heads.
  • No code quality culture — Shipping fast, whatever the cost, like it’s going out of fashion.
  • Poor process — Tech debt work sucks. Nobody likes creating Jira tickets. “Jira” has become a dirty word.
  • Low-time investment — Justifying the time to fix tech debt or to refactor is a constant uphill battle. After a point, engineers become silent!

Lack of context — Issues in Jira are a world away from the hard reality of the codebase. They’re not related in any way.

So what’s the source of this? Let’s talk strategy.

Spoiler… It’s about changing organisational culture and developer behaviour to track issues properly.

Creating a strategy to reduce technical debt

Track. Issues. Properly.

Good tech debt management starts with team-wide excellence at tracking issues.

You can’t have a tech debt strategy without tracking.

The engineering leader’s job is to make that “issue tracking” easy for your team. There is supposed to be a software for that – Jira, Asana, Rally or something of that sort.

The problem is, I’ve never believed they really get to the bottom of the problem, and after speaking with scores of engineers and leaders about it, they usually don’t either. My personal belief is most companies suffer on the velocity after their Jira rollout! It is a bit like,

No two countries that both have a McDonald’s have ever fought a war against each other.

Thomas L. Friedman – in The Lexus and the Olive Tree!

As a leader, You need to find a way to…

  • Show engineers when they’re working on code with tech debt, without them having to jump thru 3 hoops.
  • Make it really easy for team members to report tech debt.
  • Create a natural way to discuss codebase issues.
  • Integrate tech debt work into your workflows and involve PMs if required.

There are multiple ways to achieve this, the easiest is to not address it. Ie: not address it intentionally, just tweak your existing pipeline. This can be done by,

  • A very robust linting & integration to the IDE
  • Tighter Git rules for commits
  • SAST which runs on the pipeline
  • and can feed into the IDE

Prioritising impactful tech debt

At this point, it should be obvious, but prioritising the right issues is only possible if you’re tracking the impact of these “issues” and it could be direct or indirect (Dependency, Sequencing, Rework avoidance etc) .

Once you’ve got them, you should regularly and consistently use them to decide what to address. This usually happens during the backlog grooming or sprint planning sessions. But, this decision-making process needs to be strategic. Not at all tactical, ie: DO NOT delegate it to the whims and whimsicals of your TL/PM or even EM.

You or someone with a context of the organisation and position on sales, clients, revenue etc., should be doing this.

A good way to start is by choosing a theme each time you prioritise issues. For example, you could prioritise issues that…

  • Are impacting a specific feature you need to work on in the next quarter
  • Are impacting the customer’s UX
  • Are affecting efficiency/morale on the team
  • Are impacting the security posture

This is often straightforward if you’ve got high-quality issues that traceable to code and tagged as such.

Most people wonder how to get the time for these “Tasks”. I have two recommendations.

  • Take an entire sprint every quarter to repay the tech debt (Will need high-level buy-in, It is slightly harder to align your CXOs)
  • Allocate 15-20% of bandwidth in every sprint. (Easier to achieve buy-in from CXOs, harder to drive with engineers)

Engineers generally won’t prioritise tech debt work by themselves because of the conflict of interest/pressure of shipping fast. This was evident from multiple high velocity/impact software engineering teams including ones at AirBnb, Netflix and Spotify. A commitment to code refactoring and maintenance work should be endorsed and supported from the top and reinforced regularly.

How much Tech Debt can you take on?

Managing technical debt is like managing financial debt. You can use it to your advantage, but you need to be careful not to let it get out of control.

Your technical debt budget is the amount of technical debt that you are willing to take on in order to achieve your business goals. You should not try to solve all of your technical debt at once, but instead focus on the most important items.

Prudent technical debt is debt that you take on deliberately and knowingly, in order to achieve a specific goal. For example, you might take on technical debt to launch a new product quickly, or to add a new feature that is in high demand by your customers.

If you manage your technical debt properly, it can be a powerful tool for gaining a competitive advantage. However, if you let your technical debt get out of control, it can lead to serious problems, such as increased costs, delays, and security vulnerabilities.

Concluding remarks:

Technical debt is one of the most neglected areas of software development. It is often only given priority when it is too late and has already caused serious problems.

However, when leaders work together and develop a consistent and process-driven strategy, technical debt can be effectively managed.

The best engineering teams are constantly thinking about how to use their technical debt budget to their advantage.

References and Further Reading:

Can ChatGPT accelerate No-Ops to Replace DevOps in EarlyStage Startups?

Can ChatGPT accelerate No-Ops to Replace DevOps in EarlyStage Startups?

Background: I work with multiple CTOs and Heads of Engineering of early-stage startups to help them set up their engineering orgs, review their product architecture, help them prioritise their hiring etc. I also help multiple engineering leaders via Plato. Recently, there have been too many questions on whether can I use ChatGPT for this or that, but the most interesting one among these is “Can ChatGPT accelerate No-Ops to Replace DevOps?”. I have answered that multiple times in verbatim. But thought that writing it down will help me with two things, I can point them to the URL and I can also clearly structure my thoughts on this. So this is an attempt at that.  

Glossary First:

DevOps:

For the uninitiated, DevOps is a software development methodology that emphasizes collaboration and communication between developers and operations teams. The goal of DevOps is to increase the speed and quality of software delivery while reducing errors and downtime. DevOps engineers are responsible for the design, development, and delivery of software applications, as well as the management and maintenance of the underlying infrastructure including the pipelines, quality assurance automation etc.

No-ops:

No-ops, on the other hand, is a philosophy that aims to automate and simplify the operations side of software development. The goal of no-ops is to eliminate the need for manual intervention in the deployment and maintenance of applications, freeing up time for developers to focus on creating new features and fixing bugs.

ChatGPT:

ChatGPT is a language model developed by OpenAI that has the potential to revolutionize the way we interact with technology. It can perform a wide range of tasks, from answering questions to generating text and even a rudimentary bit of coding. In the context of DevOps, ChatGPT could be used to automate many of the manual tasks that DevOps engineers currently perform, such as infrastructure management, deployment, and monitoring.

Now, The question: Can ChatGPT accelerate No-Ops to Replace DevOps?

ChatGPT (or any of the other generative AIs)  has the potential to automate many of the manual tasks performed by DevOps teams, it could potentially replace the most mundane tasks that DevOps perform pretty soon. So, before writing this piece, I wanted to actually put my understanding to test.

I had to use Bard for this experiment, but I do not think there is going to be much of a difference in the outcomes.

Experiment 1: Beginner-Level Task

Writing a simple Autoscaling script to scale as per CPU and memory utilisation.

Simple AutoScaling Script, written by Bard

Experiment 2: Intermediate-Level Task

Creation of a new VPC with 3 autoscaling groups of EC2 and 1 NAT gateway and VPC peering.

Results were mixed.

Though Bard did give information that this can be tweaked, there was one major gap between the ask and the outcome. The NAT gateway was supposed to be the single point of ingress/egress, whereas the script is entirely different.

Assume an early-stage startup that gets used to the early success of Generative AI to preempt the DevOps culture, at some point the AI won’t have the context of what all is in your infrastructure and you could end up misfiring things.

My submission is, ChatGPT or Bard or any Generative can be super helpful for a good DevOps engineer and cannot replace her/him anytime soon. In military parlance, certain materiels are termed Force Multipliers. But, they themselves cannot be the force! (Aircraft carriers or Tanker aircraft are the prime example)

Why do I believe so?

There are several reasons for this:

  1. Human creativity: Despite its advanced capabilities, ChatGPT is just another AI model and lacks the creativity and innovation that a human DevOps engineer brings to the table. DevOps engineers can think outside the box and find new and innovative solutions to “Business” problems, whereas ChatGPT operates within the constraints of its programming and is simply solving the “Constraints” for that technical problem. 
  2. Human oversight: While ChatGPT can automate many tasks, it still requires human oversight to ensure that everything is running smoothly. DevOps play a crucial role in monitoring and troubleshooting any issues that may arise during the deployment and maintenance of applications.
  3. Complexity: Many DevOps tasks are complex (or at the very least, the DevOps teams would want us to believe that) and require a deep understanding of the underlying infrastructure and applications. ChatGPT does not yet have the capability to perform these tasks at the same level of expertise as a human.
  4. Customization: Every organization has unique requirements for its development and deployment process. ChatGPT may not be able to accommodate these specific needs, whereas DevOps engineers can tailor the process to meet the non-stated requirements and organisational and platform context
  5. Responsibility: DevOps engineers are ultimately responsible for ensuring the success of the development and deployment process. While ChatGPT can assist in automating tasks, it is not capable of assuming full responsibility for the outcome.

In conclusion, while ChatGPT has the potential to automate many manual tasks performed by DevOps engineers, it is unlikely to replace DevOps entirely in the near future. The role of DevOps will continue to be important in ensuring the smooth deployment and maintenance of software applications, while ChatGPT can assist in automating certain tasks and increasing efficiency. Ultimately, the goal of both DevOps and no-ops is to increase the speed and quality of software delivery, and the use of ChatGPT in DevOps can play a significant role in achieving this goal.

References:

https://humanitec.com/whitepapers/devops-benchmarking-study-2023

Is NoOps the End of DevOps?

Is NoOps the End of DevOps?

Some say that NoOps is the end of DevOps. Is that really true? If you need to answer this question, you must first understand NoOps better.

Things are moving at warp speed in the field of software development. You can subscribe to almost anything “as a service” be it storage, network, computing, or security. Cloud providers are also increasingly investing in their automation ecosystem. This leads us to NoOps, where you wouldn’t require an operations team to manage the lifecycle of your apps, because everything would be automated.

Picture Courtesy: GitHub Blog

You can use automation templates to provision your app components and automate component management, including provisioning, orchestration, deployments, maintenance, upgradation, patching and anything in between meaning significantly less overhead for you and minimal to no human interference. Does this sound wonderful? 

But is this a wise choice, and what are some advantages and challenges to implementing it?

Find out the answers to these questions, including whether NoOps is DevOps’s end in this article.

NoOps — Is It a Wise Choice?

You already know that DevOps aims to make app deployments faster and smoother, focusing on continuous improvement. NoOps — no operations — a term coined by Mike Gualtieri at Forrester, has the same goal at its core but without operations professionals!

In an ideal NoOps scenario, a developer never has to collaborate with a member of the operations team. Instead, NoOps uses serverless and PaaS to get the resources they need when they need them. This means that you can use a set of services and tools to securely deploy the required cloud components (including the infrastructure and code). Additionally, NoOps leverages a CI/CD pipeline for deployment. What is more, Ops teams are incredibly effective with data-related tasks, seeing data collection, analysis, and storage as a crucial part of their functions. However, keep in mind that you can automate most of your data collection tasks, but you can’t always get the same level of insights from automating this analysis.

Essentially, NoOps can act as a self-service model where a cloud provider becomes your ops department, automating the underlying infrastructure layer and removing the need for a team to manage it.

Many argue that a completely automated IT environment requiring zero human involvement — true NoOps — is unwise, or even impossible.

Maybe people are afraid of Skynet becoming self-aware!

NoOps vs. DevOps — Pros and Cons

DevOps emphasizes the collaboration between developers and the operations team, while NoOps emphasizes complete automation. Yet, they both try to achieve the same thing — accelerated GTM and a better software deployment process. However, there are both advantages and challenges when considering a DevOps vs. a true NoOps approach.

Pros

More automation, less maintenance

By automating everything using code, NoOps aims to eliminate the additional effort required to support your code’s ecosystem. This means that there will be no need for manual intervention, and every component will be more maintainable in the long run because it’ll be deployed as part of the code. But does this affect DevOps jobs?

Uses the full power of the cloud

There are a lot of new technologies that support extreme automation, including Container as a Service (CaaS) or Function as a Service (FaaS) as opposed to just Serverless, so most big cloud service providers can help you kickstart NoOps adoption. This is excellent news because Ops can ramp up cloud resources as much as necessary, leading to higher capacity, performance & availability planning compared to DevOps (where Dev and Ops work together to decide where the app can run).

Rapid Deployment Cycles

NoOps focuses on business outcomes by shifting focus to priority tasks that deliver value to customers and eliminating the dependency on the operations team, further reducing time-to-market.

Cons

You still need Ops!

In theory, not relying on an operations team to take care of your underlying infrastructure can sound like a dream. Practically, you may need them to monitor outcomes or take care of exceptions. Expecting developers to handle these responsibilities exclusively would take their focus away from delivering business outcomes and wouldn’t be advantageous considering NoOps benefits.

It also wouldn’t be in your best interest to rely solely on developers, as their skill sets don’t necessarily include addressing operational issues. Plus, you don’t want to further overwhelm devs with even more tasks.

Security, Compliance, Privacy

You could abide by security best practices and align them with automatic deployments all you want, but that won’t completely eliminate the need for you to take delicate care of security. Attack methods evolve and change each day, therefore, so should your cloud security controls.

For example, you could introduce the wrong rules for your AI or automate flawed processes, inviting errors in your automation or creating flawed scripts for hundreds or thousands of infrastructure components or servers. If you completely remove your Ops team, you may want to consider investing additional funds into a security team to ensure you’re instilling the best security and compliance methods for your environments.

Consider your environment

Considering NoOps uses serverless and PaaS to get resources, this could become a limiting factor for you, especially during a refactor or transformation. Automation is still possible with legacy infrastructures and hybrid deployments, but you can’t entirely eliminate human intervention in these cases. So remember that not all environments can transition to NoOps, therefore, you must carefully evaluate the pros and cons of switching.

So Is NoOps Really the End of DevOps?

TL:DR: NO!

Detail: NoOps is not a Panacea. It is limited to apps that fit into existing #serverless and #PaaS solutions. As someone who builds B2B SaaS applications for a living, I know that most enterprises still run on monolithic legacy apps and even some of the new-gen Unicorns are in the middle of Refactoring/Migration which will require total rewrites or massive updates to work in a PaaS environment, you’d still need someone to take care of operations even if there’s a single legacy system left behind.

In this sense, NoOps is still a way away from handling long-running apps that run specialized processes or production environments with demanding applications. Conversely, operations occur before production, so, with DevOps, operations work happens before code goes to production. Releases include monitoring, testing, bug fixes, security and policy checks on every commit, etc.

You must have everyone on the team (including key stakeholders) involved from the beginning to enable fast feedback and ensure automated controls and tasks are effective and correct. Continuous learning and improvement (a pillar of DevOps teams) shouldn’t only happen when things go wrong; instead, members must work together and collaboratively to problem-solve and improve systems and processes.

The Upside

Thankfully, NoOps fits within some DevOps ways. It’s focused on learning and improvement, uses new tools, ideas, and techniques developed through continuous and open collaboration, and NoOps solutions remove friction to increase the flow of valuable features through the pipeline. This means that NoOps is a successful extension of DevOps.

In other words, DevOps is forever, and NoOps is just the beginning of the innovations that can take place together with DevOps, so to say that NoOps is the end of DevOps would mean that there isn’t anything new to learn or improve.

Destination: NoOps

There’s quite a lot of groundwork involved for true NoOps — you need to choose between serverless or PaaS, and take configuration, component management, and security controls into consideration to get started. Even then, you may still have some loose ends — like legacy systems — that would take more time to transition (or that you can’t transition at all).

One thing is certain, though, DevOps isn’t going anywhere and automation won’t make Ops obsolete. However, as serverless automation evolves, you may have to consider a new approach for development and operations at some point. Thankfully, you have a lot of help, like automation tools and EaaS, to make your transition easier should you choose to switch.

Bitnami