engineering leadership - Nocturnalknight's Lair

Hidden Threats in PyPI and NPM: What You Need to Know

By Ramkumar Sundarakalatharan | November 9, 2024 | Comments 0 Comment

Introduction: Dependency Dangers in the Developer Ecosystem

Modern software development is fuelled by open-source packages, ranging from Python (PyPI) and JavaScript (npm) to PHP (phar) and pip modules. These packages have revolutionised development cycles by providing reusable components, thereby accelerating productivity and creating a rich ecosystem for innovation. However, this very reliance comes with a significant security risk: these widely used packages have become an attractive target for cybercriminals. As developers seek to expedite the development process, they may overlook the necessary due diligence on third-party packages, opening the door to potential security breaches.

Faster Development, Shorter Diligence: A Security Conundrum

Today, shorter development cycles and agile methodologies demand speed and flexibility. Continuous Integration/Continuous Deployment (CI/CD) pipelines encourage rapid iterations and frequent releases, leaving little time for the verification of every dependency. The result? Developers often choose dependencies without conducting rigorous checks on package integrity or legitimacy. This environment creates an opening for attackers to distribute malicious packages by leveraging popular repositories such as PyPI, npm, and others, making them vectors for harmful payloads and information theft.

Malicious Package Techniques: A Deeper Dive

While typosquatting is a common technique used by attackers, there are several other methods employed to distribute malicious packages:

Supply Chain Attacks: Attackers compromise legitimate packages by gaining access to the repository or the maintainer’s account. Once access is obtained, they inject malicious code into trusted packages, which then get distributed to unsuspecting users.
Dependency Confusion: This technique involves uploading packages with names identical to internal, private dependencies used by companies. When developers inadvertently pull from the public repository instead of their internal one, they introduce malicious code into their projects. This method exploits the default behaviour of package managers prioritising public over private packages.
Malicious Code Injection: Attackers often inject harmful scripts directly into a package’s source code. This can be done by compromising a developer’s environment or using compromised libraries as dependencies, allowing attackers to spread the malicious payload to all users of that package.

These methods are increasingly sophisticated, leveraging the natural behaviours of developers and package management systems to spread malicious code, steal sensitive information, or compromise entire systems.

Timeline of Incidents: Malicious Packages in the Spotlight

A series of high-profile incidents have demonstrated the vulnerabilities inherent in unchecked package installations:

June 2022: Malicious Python packages such as loglib-modules, pyg-modules, pygrata, pygrata-utils, and hkg-sol-utils were caught exfiltrating AWS credentials and sensitive developer information to unsecured endpoints. These packages were disguised to look like legitimate tools and fooled many unsuspecting developers. (BleepingComputer)
December 2022: A malicious package masquerading as a SentinelOne SDK was uploaded to PyPI, with malware designed to exfiltrate sensitive data from infected systems. (The Register)
January 2023: The popular ctx package was compromised to steal environment variables, including AWS keys, and send them to a remote server. This instance affected many developers and highlighted the scale of potential data leakage through dependencies. (BleepingComputer)
September 2023: An extended campaign involving malicious npm and PyPI packages targeted developers to steal SSH keys, AWS credentials, and other sensitive information, affecting numerous projects globally. (BleepingComputer)
October 2023: The recent incident involving the fabrice package is a stark reminder of how easy it is for attackers to deceive developers. The fabrice package, designed to mimic the legitimate fabric library, employed a typosquatting strategy, exploiting typographical errors to infiltrate systems. Since its release, the package was downloaded over 37,000 times and covertly collected AWS credentials using the boto3 library, transmitting the stolen data to a remote server via VPN, thereby obscuring the true origin of the attack. The package contained different payloads for Linux and Windows systems, utilising scheduled tasks and hidden directories to establish persistence. (Developer-Tech)

The Impact: Scope of Compromise

The estimated number of affected companies and products is difficult to pin down precisely due to the widespread usage of open-source packages in both small-scale and enterprise-level applications. Given that some of these malicious packages garnered tens of thousands of downloads, the potential damage stretches across countless software projects. With popular packages like ctx and others reaching a substantial audience, the economic and reputational impact could be significant, potentially costing affected businesses millions in breach recovery and remediation costs.

Real-world Impact: Consequences of Malicious Packages

The real-world impact of malicious packages is profound, with consequences ranging from data breaches to financial loss and severe reputational damage. The following are some of the key impacts:

British Airways and Ticketmaster Data Breach: In 2018, the Magecart group exploited vulnerabilities in third-party scripts used by British Airways and Ticketmaster. The attackers injected malicious code to skim payment details of customers, leading to significant data breaches and financial loss. British Airways was fined £20 million for the breach, which affected over 400,000 customers. (BBC)
Codecov Bash Uploader Incident: In April 2021, Codecov, a popular code coverage tool, was compromised. Attackers modified the Bash Uploader script, which is used to send coverage reports, to collect sensitive information from Codecov’s users, including credentials, tokens, and keys. This supply chain attack impacted hundreds of customers, including notable companies like HashiCorp. (GitGuardian)
Event-Stream NPM Package Attack: In 2018, a popular JavaScript library event-stream was hijacked by a malicious actor who added code to steal cryptocurrency from applications using the library. The compromised version was downloaded millions of times before the attack was detected, affecting numerous developers and projects globally. (Synk)

These incidents highlight the potential repercussions of malicious packages, including severe financial penalties, reputational damage, and the theft of sensitive customer information.

Fabrice: A Case Study in Typosquatting

The recent incident involving the fabrice package is a stark reminder of how easy it is for attackers to deceive developers. The fabrice package, designed to mimic the legitimate fabric library, employed a typosquatting strategy, exploiting typographical errors to infiltrate systems. Since its release, the package was downloaded over 37,000 times and covertly collected AWS credentials using the boto3 library, transmitting the stolen data to a remote server via VPN, thereby obscuring the true origin of the attack. The package contained different payloads for Linux and Windows systems, utilising scheduled tasks and hidden directories to establish persistence. (Developer-Tech)

Lessons Learned: Importance of Proactive Security Measures

The cases highlighted in this article offer important lessons for developers and organisations:

Dependency Verification is Crucial: Typosquatting and dependency confusion can be avoided by carefully verifying package authenticity. Implementing strict naming conventions and utilising internal package repositories can help prevent these attacks.
Security Throughout the SDLC: Integrating security checks into every phase of the SDLC, including automated code reviews and security testing of modules, is essential. This ensures that vulnerabilities are identified early and mitigated before reaching production.
Use of Vulnerability Scanning Tools: Tools like Snyk and OWASP Dependency-Check are invaluable in proactively identifying vulnerabilities. Organisations should make these tools a mandatory part of the development process to mitigate risks from third-party dependencies.
Security Training and Awareness: Developers must be educated about the risks associated with third-party packages and taught how to identify potentially malicious code. Regular training can significantly reduce the likelihood of falling victim to these attacks.

By recognising these lessons, developers and organisations can better safeguard their software supply chains and mitigate the risks associated with third-party dependencies.

Prevention Strategies: Staying Safe from Malicious Packages

To mitigate the risks associated with malicious packages, developers and startups must adopt a multi-layered defence approach:

Verify Package Authenticity: Always verify package names, descriptions, and maintainers. Opt for well-reviewed and frequently updated packages over relatively unknown ones.
Review Source Code: Whenever possible, review the source code of the package, especially for dependencies with recent uploads or unknown maintainers.
Use Package Scanners: Employ tools like Sonatype Nexus, npm audit, or PyUp to identify vulnerabilities and malicious code within packages.
Leverage Lockfiles: Tools like package-lock.json (npm) or Pipfile.lock (pip) can help prevent unintended updates by locking dependencies to a specific version.
Implement Least Privilege: Limit the permissions assigned to development environments to reduce the impact of compromised keys or credentials.
Regular Audits: Conduct regular security audits of dependencies as part of the CI/CD pipeline to minimise risk.

Software Security: Embedding Security in the Development Lifecycle

To mitigate the risks associated with malicious packages and other vulnerabilities, it is essential to integrate security into every phase of the Software Development Lifecycle (SDLC). This practice, known as the Secure Software Development Lifecycle (SSDLC), emphasises incorporating security best practices throughout the development process.

Key Components of SSDLC

Automated Code Reviews: Leveraging tools that automatically scan code for vulnerabilities and flag potential issues early in the development cycle can significantly reduce the risk of security flaws making it into production. Tools like SonarQube, Checkmarx, and Veracode help in ensuring that security is built into the code from the beginning.
Security Testing of Modules: Security testing should be conducted on third-party modules before integrating them into the project. Tools like Snyk and OWASP Dependency-Check can identify vulnerabilities in dependencies and provide remediation advice.

Deep Dive into Technical Details

Malicious Package Techniques: As discussed earlier, typosquatting is just one of the many attack techniques. Supply chain attacks, dependency confusion, and malicious code injection are also common methods attackers use to compromise software projects. It is essential to understand these techniques and incorporate checks that can prevent such attacks during the development process.
Vulnerability Analysis Tools:
- Snyk: Snyk helps developers identify vulnerabilities in open-source libraries and container images. It scans the project dependencies and cross-references them with a constantly updated vulnerability database. Once vulnerabilities are identified, Snyk provides detailed remediation advice, including fixing the version or applying patches.
- OWASP Dependency-Check: OWASP Dependency-Check is an open-source tool that scans project dependencies for known vulnerabilities. It works by identifying the libraries used in the project, then checking them against the National Vulnerability Database (NVD) to highlight potential risks. The tool also provides reports and actionable insights to help developers remediate the issues.
- Sonatype Nexus: Sonatype Nexus offers a repository management system that integrates directly with CI/CD pipelines to scan for vulnerabilities. It uses machine learning and other advanced techniques to continuously monitor and evaluate open-source libraries, providing alerts and remediation options.

Best Practices for Secure Dependency Management

Dependency Pinning: Pinning dependencies to specific versions helps in preventing unexpected updates that may contain vulnerabilities. By using tools like package-lock.json (npm) or Pipfile.lock (pip), developers can ensure that they are not inadvertently upgrading to a compromised version of a dependency.
Use of Private Registries: Hosting private package registries allows organisations to maintain tighter control over the dependencies used in their projects. By using tools like Nexus Repository or Artifactory, companies can create a trusted repository of dependencies and mitigate risks associated with public registries.
Robust Security Policies: Organisations should implement strict policies around the use of open-source components. This includes performing security audits, using automated tools to scan for vulnerabilities, and enforcing review processes for any new dependencies being added to the codebase.

By integrating these practices into the development process, organisations can build more resilient software, reduce vulnerabilities, and prevent incidents involving malicious dependencies.

Conclusion

As the developer community continues to embrace rapid innovation, understanding the security risks inherent in third-party dependencies is crucial. Adopting preventive measures and enforcing better dependency management practices are vital to mitigate the risks of malicious packages compromising projects, data, and systems. By recognising these threats, developers and startups can secure their software supply chains and build more resilient products.

References & Further Reading

Starling Bank’s Penalty: How to Strengthen Your Compliance Efforts

By Ramkumar Sundarakalatharan | October 5, 2024 | Comments 1 comment

Introduction

The rapid growth of the fintech industry has brought with it immense opportunities for innovation, but also significant risks in terms of regulatory compliance and real security. Starling Bank, one of the UK’s prominent digital banks, recently faced a £29 million fine in October 2024 from the Financial Conduct Authority (FCA) for serious lapses in its anti-money laundering (AML) and sanctions screening processes. This fine is part of a broader trend of fintechs grappling with regulatory pressures as they scale quickly. Failures in compliance not only lead to financial penalties but also damage to reputation and customer trust. In most cases, it also leads to revenue loss and or a significant business impact.

In this article, we explore what went wrong at Starling Bank, examine similar compliance issues faced by other major financial institutions like Paytm, Monzo, HDFC, Axis Bank & RobinHood and propose practical solutions to help fintech companies strengthen their compliance frameworks. This also helps to establish the point that these cybersecurity and compliance control lapses are not restricted to geography and are prevalent in the US, UK, India and many other regions. Additionally, we dive into how vulnerabilities manifest in growing fintechs and the increasing importance of adopting zero-trust architectures and AI-powered AML systems to safeguard against financial crime.

Background

In October 2024, Starling Bank was fined £29 million by the Financial Conduct Authority (FCA) for significant lapses in its anti-money laundering (AML) controls and sanctions screening. The penalty highlights the increasing pressure on fintech firms to build robust compliance frameworks that evolve with their rapid growth. Starling’s case, although high-profile, is just one in a series of incidents where compliance failures have attracted regulatory action. This article will explore what went wrong at Starling, examine similar compliance failures across the global fintech landscape, and provide recommendations on how fintechs can enhance their security and compliance controls.

What Went Wrong and How the Vulnerability Manifested

The FCA investigation into Starling Bank uncovered two major compliance gaps between 2019 and 2023, which exposed the bank to financial crime risks:

Failure to Onboard and Monitor High-Risk Clients: Starling’s systems for onboarding new clients, particularly high-risk individuals, were not sufficiently rigorous. The bank’s AML mechanisms did not scale in line with the rapid increase in customers, leaving gaps where sanctioned or suspicious individuals could go undetected. Despite the bank’s growth, the compliance framework remained stagnant, resulting in breaches of Principle 3 of the FCA’s regulations for businesses(Crowdfund Insider)(FinTech Futures).
Inadequate Sanctions Screening: Starling’s sanctions screening systems failed to adequately identify transactions from sanctioned entities, a critical vulnerability that persisted for several years. With insufficient real-time monitoring capabilities, the bank did not screen many transactions against the latest sanctions lists, leaving it exposed to potentially illegal activity(FinTech Futures). This is especially concerning in a financial ecosystem where transactions are frequent and high in volume, requiring robust systems to ensure compliance at all times.

These vulnerabilities manifested in Starling’s inability to effectively prevent financial crime, culminating in the FCA’s action in October 2024.

Learning from Similar Failures in the Fintech Industry

Paytm’s Cybersecurity Breach Reporting Delays (October 2024): In India, Paytm was fined for failing to report cybersecurity breaches in a timely manner to the Reserve Bank of India (RBI). This non-compliance exposed vulnerabilities in Paytm’s internal governance structures, particularly in their failure to adapt to rapid business expansion and manage cybersecurity threats(Reuters).
HDFC and Axis Banks’ Regulatory Breaches (September 2024): The RBI fined HDFC Bank and Axis Bank in September 2024 for failing to comply with regulatory guidelines, emphasizing how traditional banks, like fintechs, can face compliance challenges as they scale. The fines were related to lapses in governance and risk management frameworks(Economic Times).
Monzo’s PIN Security Breach (2023): In 2023, UK-based challenger bank Monzo experienced a breach where customer PINs were accidentally exposed due to an internal vulnerability. Although Monzo responded swiftly to mitigate the damage, the breach illustrated the need for fintechs to prioritize backend security and implement zero-trust security architectures that can prevent such incidents(Wired).
LockBit Ransomware Attack (2024): The LockBit ransomware attack on a major financial institution in 2024 demonstrated the growing cyber threats that fintechs face. This attack exposed the weaknesses in traditional cybersecurity models, underscoring the necessity of adopting zero-trust architectures for fintech companies to protect sensitive data and transactions from malicious actors(NCSC).
Robinhood’s Regulatory Scrutiny (2021-2022): In June 2021, Robinhood was fined $70 million by FINRA for misleading customers, causing harm through platform outages, and failing to manage operational risks during the GameStop trading frenzy. Robinhood’s systems were not equipped to handle the surge in trading volumes, leading to severe service disruptions and a failure to communicate risks to customers.
Robinhood Crypto’s Cybersecurity Failure (2022): In August 2003, Robinhood was fined $30 million by the New York State Department of Financial Services (NYDFS) for failing to comply with anti-money laundering (AML) regulations and cybersecurity obligations related to its cryptocurrency trading operations. The fine was issued due to inadequate staffing, compliance failures, and improper handling of regulatory oversight within its crypto business. Much like Starling, Robinhood’s compliance systems lagged behind its rapid business growth (Compliance Week)

Key Statistics in the Fintech Compliance Landscape

65% of organizations in the financial sector had more than 500 sensitive files open to every employee in 2023, making them highly vulnerable to insider threats.
The average cost of a data breach in financial services was $5.85 million in 2023, a significant figure that shows the financial impact of security vulnerabilities.
27% of ransomware attacks targeted financial institutions in 2022, with the number of attacks continuing to rise in 2024, further highlighting the importance of robust cybersecurity frameworks.
81% of financial institutions reported a rise in phishing and social engineering attacks in 2023, emphasizing the need for employee awareness and strong access controls.
By 2025, the global cost of cybercrime is projected to exceed $10.5 trillion annually, a figure that will disproportionately impact fintech companies that fail to implement strong security protocols.

Recommendations for Strengthening Compliance and Security Controls

To prevent future compliance breaches, fintech firms should prioritise scalable, technology-enabled compliance solutions. This requires empowering Compliance Heads, Information Security Teams, CISOs, and CTOs with the necessary budgets and authority to develop secure-by-design environments, teams, infrastructure, and products.

AI-Powered AML Systems: Leverage artificial intelligence (AI) and machine learning to enhance AML systems. These technologies can dynamically adjust to new threats and process high volumes of transactions to detect suspicious patterns in real time. This approach will ensure that fintechs can comply with evolving regulatory requirements while scaling.
Zero-Trust Security Models: As the LockBit ransomware attack showed in 2024, fintechs must adopt zero-trust architectures, where every user and device interacting with the system is continuously authenticated and verified. This reduces the risk of internal breaches and external attacks(Cloudflare).
Real-Time Auditing and Blockchain for Transparency: Real-time auditing, combined with blockchain technology, provides an immutable and transparent record of all financial transactions. This would help fintechs like Starling avoid the pitfalls of delayed sanctions screening, as blockchain ensures immediate and traceable compliance checks(EY).
Multi-Layered Sanctions Screening: Implement a multi-layered sanctions screening system that combines automated transaction monitoring with manual oversight for high-risk accounts. This dual approach ensures that fintechs can monitor suspicious activities while maintaining compliance with global regulatory frameworks(Exiger)(FinTech Futures).
Continuous Employee Training and Governance: Strong governance structures and regular compliance training for employees will ensure that fintechs remain agile and responsive to regulatory changes. This prepares the organization to adapt as new regulations emerge and customer bases expand.

Conclusion

The £29 million fine imposed on Starling Bank in October 2024 serves as a crucial reminder for fintech companies to integrate robust compliance and security frameworks as they grow. In an industry where regulatory scrutiny is intensifying, the fintech players that prioritize compliance will not only avoid costly fines but also position themselves as trusted institutions in the financial services world.

Why Did Elastic Decide to Go Open Source Again?

By Ramkumar Sundarakalatharan | October 1, 2024 | Comments 0 Comment

Elastic’s Return to Open Source: The Knight is back to the Pavilion

Elastic, the company behind Elasticsearch, recently decided to revert to an open-source licensing model after four years of operating under a proprietary license. This decision reflects a shift in strategy that emphasizes community-driven innovation and collaboration. In 2019, Elastic initially adopted a proprietary model to protect its intellectual property from cloud providers like Amazon Web Services (AWS), which were benefiting from Elasticsearch without contributing to its development. However, the move away from open-source posed its own challenges, including alienating the developer community that had helped build Elasticsearch into a widely-used tool.

In 2024, Elastic CEO Shay Banon announced the company’s return to an open-source framework. He explained that this decision stems from the belief that open collaboration fosters innovation and better serves the long-term interests of both the company and its user base. “We believe that the best products are built together,” Banon stated, emphasizing the value of community engagement in product development.

Recent Changes in Open-Source Licensing Models

Elastic’s decision is not an isolated incident. Over the past few years, several other technology companies have reconsidered their licensing models in response to the changing dynamics of software development and cloud service providers. These companies have struggled with how to balance open-source principles with the need to protect their commercial interests.

Redis Labs
Redis Labs initially licensed Redis under a permissive open-source license, but in 2018, the company adopted the Commons Clause to prevent cloud providers from offering Redis as a service without contributing to its development. However, after facing backlash from the developer community, Redis Labs adjusted its approach by introducing Redis Stack under more community-friendly terms, highlighting the difficulty of maintaining open-source integrity while ensuring business protection.
HashiCorp
In 2023, HashiCorp, known for popular tools like Terraform, adopted a Business Source License (BSL), which restricts the usage of its software in certain commercial contexts. HashiCorp’s move was driven by concerns over cloud providers monetizing its tools without contributing back to the open-source community. While BSL is not a traditional open-source license, HashiCorp continues to maintain a balance between openness and protecting its intellectual property, showing how companies are navigating complex market dynamics.
MongoDB
MongoDB’s shift to the Server Side Public License (SSPL) in 2018 was another major development in the open-source licensing debate. The SSPL aims to prevent cloud service providers from exploiting MongoDB’s open-source code without contributing back. While the SSPL is more restrictive than traditional open-source licenses, MongoDB’s goal was to retain the open-source ethos while ensuring that cloud vendors could not commercialize the software without contributing to its development.
Chef Software
Chef, an automation tool provider, switched all of its products to open-source in 2019 after years of operating under a mixed licensing model. This shift was largely a response to the growing demand for transparency and community collaboration. Chef’s decision allowed it to rebuild trust within its user base and align its business strategy with the broader trends in software development.

Impact on the Average Software Developer

For the average software developer, these licensing model changes can profoundly impact their work, career growth, and day-to-day development practices.

Access to Cutting-Edge Tools
When companies like Elastic and MongoDB return to open-source models, developers gain unrestricted access to powerful tools and frameworks. This democratizes the technology, allowing developers from small companies, startups, and even personal projects to leverage the same tools that major enterprises use, without the barrier of expensive proprietary licenses. For many developers, open-source provides not just tools, but an entire ecosystem for experimentation, learning, and rapid prototyping.
Contributing to Open-Source Communities
Open-source contributions are an essential career-building tool for many developers. By contributing to open-source projects, developers can gain real-world experience, build portfolios, and even influence the direction of widely-used technologies. When companies like HashiCorp and Redis Labs shift their focus back to open-source, it increases opportunities for developers to become part of a larger, global development community.
Career and Learning Opportunities
Exposure to open-source projects allows developers to work with cutting-edge technology and methodologies. This can accelerate learning, as open-source projects are often evolving quickly with input from diverse and global teams. Additionally, contributing to popular open-source projects like Elastic or Kubernetes can greatly enhance a developer’s resume and open doors to career opportunities, including job offers and consulting roles.
Navigating Licensing Restrictions
Developers must also become more adept at navigating the complexities of new licenses like SSPL and BSL. These licenses place restrictions on how open-source software can be used, especially in cloud environments. Understanding the fine print is crucial for developers working in enterprise environments or launching their own SaaS products, as improper use of open-source software can lead to legal complications. This makes legal and compliance knowledge increasingly important in modern software development roles.

Open Source vs. Open Governance: A Crucial Distinction

Elastic’s journey highlights a key debate in the software development world: the difference between open source and open governance. While many companies have embraced open-source models, few have transitioned to open governance frameworks, which involve community-driven decision-making for the project’s future direction.

As highlighted in my previous article, “Open Source vs. Open Governance: The State and Future of the Movement,” the distinction lies in control. In open-source projects, the code is freely available, but decisions regarding the project’s roadmap and key developments may still be controlled by a single entity, such as a company. In contrast, open governance ensures that decision-making is decentralized, often involving multiple stakeholders, including developers, users, and companies that contribute to the project.

For Elastic and others, returning to open-source doesn’t necessarily mean embracing open governance. Although Elastic’s code will be open for contributions, the strategic direction will still be managed by the company. This is a common approach in many high-profile open-source projects. For example, Google’s Kubernetes operates under the open-source model but is governed by a diverse group of stakeholders, ensuring the project’s direction isn’t controlled by a single entity. On the other hand, projects like OpenStack follow a more open governance approach, with broader community involvement in decision-making.

Understanding the difference between open-source and open governance is critical as the software industry evolves. Companies are beginning to realize that open-source alone doesn’t always translate into the collaborative, community-driven development they seek. Open governance provides a framework for more inclusive decision-making, but it also presents challenges in terms of efficiency and control.

Looking Ahead: Open Source as a Business Strategy

The return of Elastic and other companies to more open models indicates a growing recognition of the importance of open-source in the software industry. For Elastic, this decision is about more than just licensing; it’s about reconnecting with a developer community that thrives on transparency and collaboration. By embracing open-source again, Elastic hopes to accelerate product development and foster stronger relationships with users.

This broader trend shows that while companies are still cautious about cloud providers exploiting their software, they are increasingly finding ways to leverage open-source models as a business strategy. These recent changes to licensing frameworks highlight the evolving nature of software development and the role open-source plays in it.

For organizations navigating the complex decision between proprietary and open-source models, the key lesson from Elastic’s experience is that the long-term benefits of community-driven development and innovation can outweigh the short-term protection of proprietary models. As more companies follow suit, it’s clear that open-source is not just a technical choice—it’s a business strategy.

References:

Elastic founder on why they returned to open-source four years after going proprietary – TechCrunch
Redis Stack: Moving back to a community-driven model
HashiCorp’s shift to Business Source License
MongoDB’s adoption of SSPL
Chef Software’s decision to return to open-source in 2019
Open Source vs. Open Governance: The State and Future of the Movement – LinkedIn.

Key Reasons Founding CTOs Move Sideways in Tech Startups

By Ramkumar Sundarakalatharan | August 30, 2024 | Comments 0 Comment

In the world of startups, it’s not uncommon to hear about founding CTOs being ousted or sidelined within a few years of the company’s inception. For many, this seems paradoxical—after all, these are often individuals who are not only experts in their fields but also the technical visionaries who brought the company to life. Yet, within 3–5 years, many of them find themselves either pushed out of their executive roles or relegated to a more visionary or peripheral position in the organization.

But why does this happen?

The Curious Case of the Founding CTO

About 6-7 years back, while assisting a couple of VC firms in performing technical due diligence with their investments, I noticed a pattern: founding CTOs who had built groundbreaking technology and secured millions in funding were being removed from their positions. These were not just “any” technologists—they were often world-class experts, with pedigrees from prestigious institutions like Cambridge, Stanford, Oxford, MIT, IIT(Israel) and IIT (India). Their technical competence was beyond question, so what was causing this rapid turnover?

The Business Acumen Gap

After numerous conversations with both the displaced CTOs and the investors who backed their companies, a common theme emerged: there was a significant gap in business acumen between the CTOs and the boards of directors. As the companies grew, this gap widened, eventually becoming a chasm too large to bridge.

The Perception of Arrogance

One of the most frequently cited issues was the perception of arrogance. Many founding CTOs, steeped in deep technical knowledge, would often express disdain or impatience towards board members and executive leadership team (ELT) members who lacked a technical background. This disdain often manifested in meetings, where CTOs would engage in “geek speak,” using highly technical language that alienated non-technical stakeholders. This attitude can make the board feel undervalued and disconnected from the technology’s impact on the business, leading to friction between the CTO and other executives.

Failure to Translate Technology into Business Outcomes

Another critical issue was the inability—or unwillingness—to translate technical initiatives into tangible business outcomes. CTOs would present technology roadmaps without tying them to the company’s broader business objectives; and in extreme cases, even product roadmaps! This disconnect led to frustration among board members who wanted to understand how technology investments would drive revenue, reduce costs, or create competitive advantages. According to an article in Harvard Business Review, this lack of alignment between technical leadership and business strategy often results in a loss of confidence from investors & executive leadership who see the CTO as out of sync with the company’s growth trajectory.

Lack of Proactive Communication and Risk Management

Founding CTOs were also often criticized for failing to communicate proactively. When projects fell behind schedule or technical challenges arose, many CTOs would either remain silent or offer vague assurances such as, “You have to trust me.” Sometimes, they fail to communicate the underlying problems causing this. This lack of transparency and the absence of a clear, proactive plan to mitigate risks eroded the board’s confidence in their leadership. As noted by TechCrunch, this lack of foresight and communication can lead to the CTO being perceived as “dead weight” on the cap table, ultimately leading to their removal or sidelining.

The Statistics Behind the Trend

Research supports the observation that founding CTOs often struggle to maintain their roles as companies scale. According to a study by Harvard Business Review, more than 50% of founding CTOs in high-growth startups are replaced within the first 5 years. The reasons cited align with the issues mentioned above—poor communication, lack of business alignment, and a failure to scale leadership skills as the company grows.

Additionally, a survey by the Startup Leadership Journal revealed that 70% of venture capitalists have replaced a founding CTO at least once in their careers. This statistic underscores the importance of not only possessing technical expertise but also developing the necessary business acumen to maintain a leadership role in a rapidly growing company.

Real-World Examples: CTOs Who Fell from Grace

Several high-profile cases illustrate this trend. For instance, at Uber, founding CTO Oscar Salazar eventually took a step back from his leadership role as the company’s growth demanded a different set of skills. Similarly, at Twitter, co-founder and CTO Noah Glass was famously sidelined during the company’s early years, despite his pivotal role in its creation.

In another notable case, at Zenefits, founding CTO Laks Srini was moved to a less central role as the company faced regulatory challenges and rapid growth. The decision to shift his role was driven by the need for a leadership team that could navigate the complexities of a scaling business.

And, the list is too long, so I am adding about 8 names which is bound to elicit a reaction.

Name	Company	Fired/Left on Year	Most Likely Reason
Scott Forstall	Apple	2012	Abrasive management style and failure of Apple Maps
Kevin Lynch	Adobe	2013	Contention over Flash technology, departure to join Apple
Tony Fadell	Apple	2008	Internal conflicts over strategic directions
Amit Singhal	Google/Uber	2017	Dismissed from Uber due to harassment allegations
Balaji Srinivasan	Coinbase	2019	Strategic shifts away from decentralization
Alex Stamos	Facebook	2018	Disagreements over handling misinformation and security issues
Michael Abbott	Twitter	2011	Executive reshuffle during strategic redirection
Shiva Rajaraman	WeWork	2018	Departure during company instability and failed IPO

The Path Forward for Aspiring CTOs

For current and aspiring CTOs, the lessons are clear: technical expertise is essential, but it must be complemented by strong business acumen, communication skills, and a proactive approach to leadership. As a company scales, so too must the CTO’s ability to align technology with business objectives, communicate effectively with non-technical stakeholders, and manage both risks and expectations.

CTOs who can bridge the gap between technology and business are far more likely to maintain their executive roles and continue to drive their companies forward. For those who fail to adapt, the fate of being sidelined or replaced is an all-too-common outcome.

Conclusion

The role of the CTO is critical, especially in the early stages of a startup. However, as the company grows, the demands on the CTO evolve. Those who can develop the necessary business acumen, communicate effectively with a diverse range of stakeholders, and maintain a strategic focus will thrive. For others, the writing may be on the wall well before the 3–5 year mark.

What other reasons have you found that got the founding CTO fired? Share your thoughts in the comments.

References: & Further Reading

Harvard Business Review: Unpacking VCs’ Strange Instinct .
Adeline Chalmers on Medium: Without Business Acumen, Most CTOs in Scaleups Will Be Replaced in Time .
TechCrunch: Bad CTOs Mean Startups Have Millions Worth of Cap Table Dead Weight .

Tech Founder to CTO: The Hidden Challenges of Managing Growth in Startups

By Ramkumar Sundarakalatharan | July 29, 2024 | Comments 0 Comment

The role of the Chief Technology Officer (CTO) in a startup is dynamic and challenging, particularly for first-time technical cofounders. While the early stages of a startup demand intense technical involvement and innovation, the role evolves significantly as the company grows. This evolution often highlights stark differences in the required skill sets at different stages, posing challenges for first-time technical cofounders but offering opportunities for serial entrepreneurs.

The Initial Phase: Technical Mastery and Hands-On Development

In a startup’s early days, the technical cofounder, often assuming the CTO role, is deeply immersed in product development’s intricacies. This period is characterized by rapid prototyping, extensive coding, and constant iteration based on user feedback. The technical cofounder’s primary focus is to bring the product vision to life, often working with limited resources and under significant time pressure. This phase requires not just technical expertise but also a high degree of creativity and problem-solving prowess.

The Transition: From Builder to Leader

As the startup scales, the CTO’s demands change dramatically. The focus shifts from hands-on development to strategic leadership. This transition involves managing larger teams, setting long-term technical directions, and ensuring that the technology strategy aligns with the overall business goals. First-time technical cofounders often find this shift challenging because it demands skills they may not have developed. The ability to code and build is no longer enough; the role now requires people management, strategic planning, and the capacity to handle complex organizational dynamics.

The Skill Set Gap

For first-time technical cofounders, this transition can be particularly daunting. Their expertise lies in building and innovating, but scaling a technology team and managing a growing organization are entirely different challenges. These new responsibilities require experience in leadership, communication, and strategic thinking—areas where first-time founders might lack experience. The result is a skill set gap that can lead to frustration and inefficiency, both for the individual and the organization.

Serial Entrepreneurs: Experience Matters

In contrast, serial entrepreneurs often handle this transition more effectively. Having navigated the startup journey multiple times, they possess a broader range of skills and experiences. They are familiar with the different phases of growth and the changing demands of the CTO role. Serial entrepreneurs are better equipped to balance hands-on technical work with strategic leadership. They have likely experienced the pitfalls and challenges of scaling a company before and have developed the necessary skills to manage them.

Learning from Experience

Serial entrepreneurs and or seasoned engineering leaders bring a wealth of knowledge from their previous ventures, allowing them to anticipate challenges and implement solutions proactively. Their past experiences help them build robust management structures, delegate effectively, and maintain strategic focus. This adaptability and foresight are crucial for a scaling startup, where the ability to pivot and adjust is often the difference between success and failure.

The Burnout Factor

Another critical difference is how first-time technical cofounders and serial entrepreneurs handle burnout. The relentless pace and high stakes of a startup can lead to significant stress and fatigue. First-time founders, driven by their passion and vision, might find it hard to step back and delegate, leading to burnout. On the other hand, serial entrepreneurs, having experienced this before, are often more adept at recognizing the signs of burnout and taking steps to mitigate it. They understand the importance of work-life balance and are better at creating a sustainable work environment for themselves and their teams.

Strategic Decisions and Stakeholder Management

As startups grow, they attract more investors and stakeholders whose interests need to be managed. Serial entrepreneurs typically have more experience dealing with investors and understanding their expectations. They are skilled at navigating the complex landscape of stakeholder management, making strategic decisions that align with the broader goals of the company while maintaining the confidence of their investors.

Conclusion: The Path Forward

For startups, recognizing the strengths and limitations of their technical cofounders is crucial. While first-time technical cofounders bring passion and technical prowess, they may struggle with the strategic and managerial aspects as the company scales. In contrast, serial entrepreneurs, with their diverse experiences and refined skills, are often better suited to handle the evolving demands of the CTO role.

Startups should consider these dynamics when planning their leadership strategies. Providing support, mentorship, and training to first-time technical cofounders can help bridge the skill set gap. Alternatively, involving experienced leaders who can complement the technical cofounder’s strengths can create a balanced leadership team capable of steering the company through its growth phases.

Ultimately, the journey from a technical cofounder to a successful CTO is complex and challenging. Recognizing the unique contributions and potential limitations of first-time technical cofounders, while leveraging the experience of serial entrepreneurs, can significantly enhance a startup’s chances of success.

Inside the Palantir Mafia: Secrets to Succeeding in the Tech Industry

By Ramkumar Sundarakalatharan | June 7, 2024 | Comments 0 Comment

In the world of technology, engineers are not just cogs in a machine; they are the builders, the dreamers, and the ones who solve the problems they see in the world. And sometimes, those solutions turn into billion-dollar businesses. This is the story of the “Palantir Mafia,” a group of former Palantir employees who have left the data analytics giant to found their own startups, just like the famed “PayPal Mafia” that produced companies like SpaceX, YouTube, LinkedIn, Palantir Technologies, Affirm, Slide, Kiva, and Yelp.

1. Introducing the Amazing People from Palantir

The “Palantir Mafia,” akin to the renowned “PayPal Mafia,” comprises former Palantir engineers and executives who left to tackle meaningful problems with technological innovation, creating substantial impact and wealth. Unlike ex-consultants from firms like McKinsey, BCG, or Bain, these tech leaders leverage their deep technical expertise to solve complex issues directly, resulting in profound advancements and successful ventures.

Key Figures and Their Ventures

Alex Karp – Palantir Technologies
- Former Role: Co-Founder and CEO
- Company: Palantir Technologies
- Focus: Data analytics
- Market Penetration: Widely used across government and commercial sectors
- Revenue: $1.5 billion annually
- Capital Raised: $3 billion (Wikipedia) (Business Insider)
Max Levchin – Affirm
- Former Role: Co-Founder (PayPal, associated with Palantir founders)
- Company: Affirm
- Focus: Buy now, pay later financial services
- Market Penetration: Significant presence in the consumer finance market
- Revenue: $870 million in fiscal 2021
- Capital Raised: $1.5 billion
Joe Lonsdale – 8VC
- Former Role: Co-Founder
- Company: 8VC
- Focus: Venture capital firm
- Market Penetration: Diverse portfolio, influential in tech sectors
- Assets Under Management: $3.6 billion
Palmer Luckey – Anduril Industries ( could be the blue blooded Musk of 2020-2030s)
- Former Role: Founder of Oculus VR, associated with Palantir through ventures
- Company: Anduril Industries
- Focus: Defense technology
- Innovation: Developed the Lattice AI platform for autonomous border surveillance and defense applications
- Market Penetration: Contracts with U.S. Department of Defense and border security agencies
- Revenue: $200 million annually
- Capital Raised: $700 million
Garrett Smallwood – Wag!
- Former Role: Executive roles at other startups before Wag!
- Company: Wag!
- Focus: On-demand pet care services
- Market Penetration: Operates in over 100 cities
- Revenue: $100 million annually
- Capital Raised: $361.5 million
Nima Ghamsari – Blend
- Former Role: Product Manager at Palantir
- Company: Blend
- Focus: Mortgage and lending software
- Market Penetration: Partners with major financial institutions
- Revenue: Estimated $100 million+ annually
- Capital Raised: $665 million
Stephen Cohen – Quantifind
- Former Role: Co-Founder of Palantir
- Company: Quantifind
- Focus: Risk and fraud detection using data science
- Market Penetration: Used by financial services and government sectors
- Capital Raised: $8.7 million
Vibhu Norby – B8ta
- Former Role: Engineer at Palantir
- Company: B8ta
- Focus: Retail-as-a-service platform
- Market Penetration: Transforming in-store retail experiences
- Capital Raised: $113 million
Joe Lonsdale – Addepar
- Former Role: Co-Founder of Palantir
- Company: Addepar
- Focus: Wealth management technology
- Market Penetration: Manages over $2 trillion in assets
- Capital Raised: $325 million
Raman Narayanan – SigOpt
- Former Role: Data Scientist at Palantir
- Company: SigOpt (acquired by Intel)
- Focus: Machine learning optimization
- Market Penetration: Utilized by top tech companies
- Capital Raised: $8.7 million (before acquisition)

2. Engineers Make Better Founders in the Tech Industry

Unlike ex-consultants from big 3 who may excel in strategy and communication but often lack the technical depth to truly understand the intricacies of building a tech product, these ex-Palantir engineers come armed with both the vision and the technical chops to bring their ideas to life. They’ve spent years wrestling with complex data problems at Palantir, and they’re now taking those hard-won lessons to solve new challenges across a wide range of industries.

Engineers bring a problem-solving mindset that focuses on creating practical, scalable solutions. This technical acumen has allowed former Palantir employees to launch transformative companies that push the boundaries of what’s possible in various industries.

3. Market Penetration and Success of Palantir Alumni

The success of these Palantir alumni is evident through their market penetration and revenue. For instance, Palantir Technologies itself is a major player in the data analytics field, with a revenue of $1.5 billion annually. Affirm, led by Max Levchin, has made significant inroads in the consumer finance market, generating $870 million in revenue in fiscal 2021. Anduril Industries, founded by Palmer Luckey, has secured substantial contracts with the U.S. Department of Defense, contributing to its $200 million annual revenue.

Other successful ventures include Blend, with its deep partnerships with major financial institutions, and Addepar, managing over $2 trillion in assets. These companies not only showcase the technical expertise of their founders but also highlight their ability to penetrate markets and achieve substantial financial success.

4. Engineers vs. Consultants: A Compelling Argument

The technical depth and problem-solving mindset of engineers make them particularly suited for founding and leading tech startups. Their ability to directly tackle complex problems contrasts with the approach of ex-consultants from firms like McKinsey, BCG, or Bain, who often focus more on financial and operational efficiencies.

While consultants excel in operations-heavy startups, where strategic planning, financial management, and operational efficiency are paramount, engineers thrive in tech startups that require innovative solutions and deep technical expertise. The success stories of the Palantir alumni underscore this distinction, demonstrating how their engineering backgrounds have enabled them to drive significant technological advancements and build successful companies.

Conclusion

The Palantir Mafia’s engineers have leveraged their technical expertise to create innovative solutions and successful ventures, driving significant impact across various industries. Their ability to tackle complex problems directly contrasts with the approach of ex-consultants from firms like McKinsey, BCG, or Bain, who often focus more on financial and operational efficiencies. This technical depth has enabled these former Palantir employees to become influential leaders, pushing the boundaries of technology and innovation.

References & Further Reading:

Non-Compete Clauses: FTC’s Influence on Tech Innovation & Employee Freedom

By Ramkumar Sundarakalatharan | May 3, 2024 | Comments 0 Comment

The recent FTC ruling banning most non-compete agreements nationwide has ignited a firestorm in the business world. While some cheer the increased freedom for workers, others fear a potential talent exodus and a decline in innovation. Let’s delve deeper into this debate, exploring the arguments for and against non-compete clauses, along with the potential consequences of the ruling.

Champions of the Free Agent: A Rising Tide Lifts All Boats

Proponents of the FTC’s decision paint a rosy picture. They argue that:

Increased Worker Mobility: With non-compete shackles removed, workers can freely pursue more lucrative opportunities. This competition between companies drives salaries upwards, forcing employers to offer competitive benefits packages to retain talent.
Innovation on Steroids: A more mobile workforce fosters a cross-pollination of ideas. Employees bring fresh perspectives and experiences from previous roles, leading to a more dynamic and innovative environment across industries.
Empowering the Underdog: Critics of non-competes argue that these clauses disproportionately affect low-wage workers. They often lack the resources to challenge them in court, effectively becoming trapped in jobs with limited upward mobility.

The Employer’s Lament: Protecting the Crown Jewels

Companies are understandably nervous about the FTC’s ruling. Here’s why:

Trade Secrets at Risk: Businesses worry that departing employees, especially those privy to sensitive information, might jump ship to a competitor, potentially taking valuable trade secrets with them. This could give a rival an unfair advantage and stifle innovation.
Customer Loyalty on the Move: Companies also fear losing established customer relationships when key salespeople or account managers move on to a competitor. This could lead to a decline in customer retention and revenue.
Poaching Wars: A Race to the Bottom: Without non-compete clauses, some companies worry about fierce “poaching wars” erupting, where competitors aggressively recruit talent and drive up salaries for specific roles. While this might benefit a select few employees, it could negatively impact smaller companies with limited resources.

The Nuance: Not All Non-Compete Clauses Are Created Equal

It’s important to acknowledge that the FTC ruling has some limitations. Here are some potential grey areas:

Executive Contracts: The ruling may not apply to high-level executives whose contracts often contain stricter non-disclosure and non-compete clauses. These agreements might still be enforceable depending on specific terms.
State Variations: While the FTC ruling aims to be a blanket policy, some states might have stricter or more lenient regulations regarding non-compete clauses. Employers and employees should be aware of their state’s specific laws.
Industry Specificity: The FTC ruling might have a more significant impact on specific industries like tech, where knowledge transfer and trade secrets are particularly valuable. Other sectors may be less affected.

The Future of Work: A Brave New World?

The FTC’s ruling is a major turning point that could significantly reshape the American workforce. It’s too early to predict the full impact, but some potential scenarios include:

Rise of the Free Agent Economy: Highly skilled workers with in-demand expertise may become more like free agents, negotiating short-term contracts or project-based work with various companies.
Focus on Retention Strategies: Companies may shift their focus towards creating a more positive work environment that fosters loyalty and discourages employees from leaving. This could include better benefits, training opportunities, and a strong company culture.
Increased Use of Confidentiality Agreements: Non-compete clauses may be replaced by stricter confidentiality agreements to protect sensitive information, although their enforceability might vary.

Mastering Cyber Defense: The Impact Of AI & ML On Security Strategies

By Ramkumar Sundarakalatharan | April 14, 2024 | Comments 0 Comment

The cybersecurity landscape is a relentless battlefield. Attackers are constantly innovating, churning out new threats at an alarming rate. Traditional security solutions are struggling to keep pace. But fear not, weary defenders! Artificial Intelligence (AI) and Machine Learning (ML) are emerging as powerful weapons in our arsenal, offering the potential to revolutionize cybersecurity.

The Numbers Don’t Lie: Why AI/ML Matters

Security Incidents on the Rise: According to the IBM Security X-Force Threat Intelligence Index 2023 https://www.ibm.com/reports/threat-intelligence, the average organization experienced 270 data breaches in 2022, a staggering 13% increase from the previous year.
Alert Fatigue is Real: Security analysts are bombarded with a constant stream of alerts, often leading to “alert fatigue” and missed critical threats. A study by the Ponemon Institute found that it takes an average of 280 days to identify and contain a security breach https://www.ponemon.org/.

AI/ML to the Rescue: Current Applications

AI and ML are already making a significant impact on cybersecurity:

Reverse Engineering Malware with Speed: AI can disassemble and analyze malicious code at lightning speed, uncovering its functionalities and vulnerabilities much faster than traditional methods. This allows defenders to understand attacker tactics and develop effective countermeasures before widespread damage occurs.
Prioritizing the Vulnerability Avalanche: Legacy vulnerability scanners often generate overwhelming lists of potential weaknesses. AI can prioritize these vulnerabilities based on exploitability and potential impact, allowing security teams to focus their efforts on the most critical issues first. A study by McAfee found that organizations can reduce the time to patch critical vulnerabilities by up to 70% using AI https://www.mcafee.com/blogs/internet-security/the-what-why-and-how-of-ai-and-threat-detection/.
Security SIEMs Get Smarter: Security Information and Event Management (SIEM) systems ingest vast amounts of security data. AI can analyze this data in real-time, correlating events and identifying potential threats with an accuracy far exceeding human capabilities. This significantly improves threat detection accuracy and reduces the time attackers have to operate undetected within a network.

The Future of AI/ML in Cybersecurity: A Glimpse Beyond

As AI and ML technologies mature, we can expect even more transformative applications:

Context is King: AI can be trained to understand the context of security events, considering user behaviour, network activity, and system configurations. This will enable highly sophisticated threat detection and prevention capabilities, automatically adapting to new situations and attacker tactics.
Automating Security Tasks: Imagine a future where AI automates not just vulnerability scanning, but also incident response, patch management, and even threat hunting. This would free up security teams to focus on more strategic initiatives and significantly improve overall security posture.

Challenges and Considerations: No Silver Bullet

While AI/ML offers immense potential, it’s important to acknowledge the challenges:

Explainability and Transparency: AI models can sometimes make decisions that are difficult for humans to understand. This lack of explainability can make it challenging to trust and audit AI-powered security systems. Security teams need to ensure they understand how AI systems reach conclusions and that these conclusions are aligned with overall security goals.
Data Quality and Bias: The effectiveness of AI/ML models heavily relies on the quality of the data they are trained on. Biased data can lead to biased models that might miss certain threats or flag legitimate activity as malicious. Security teams need to ensure their training data is diverse and unbiased to avoid perpetuating security blind spots.

The Takeaway: Embrace the Future

Security practitioners and engineers are at the forefront of adopting and shaping AI/ML solutions. By understanding the current applications, future potential, and the associated challenges, you can ensure that AI becomes a powerful ally in your cybersecurity arsenal. Embrace AI/ML, and together we can build a more secure future!

#AI #MachineLearning #Cybersecurity #ThreatDetection #SecurityAutomation

P.S. Check out these resources to learn more:

A Multilayer Framework for Good Cybersecurity Practices for AI: https://www.enisa.europa.eu/publications/multilayer-framework-for-good-cybersecurity-practices-for-ai by ENISA (European Union Agency for Cybersecurity)

NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0): https://www.nist.gov/itl/ai-risk-management-framework) by National Institute of Standards and Technology (NIST)

Understanding The Implications Of The Data Breaches At Microsoft.

By Ramkumar Sundarakalatharan | February 25, 2024 | Comments 0 Comment

Note: I started this article last weekend to try and explain the attack path  “Midnight Blizzard” used and what Azure admins should do to protect themselves from a similar attack. Unfortunately, I couldn't complete/publish it in time and now there is another breach at Microsoft. (🤦🏿) Now, I had to completely redraft it and change the focus to a summary of data breaches at Microsoft and a walkthrough on the current breach. I will publish the Midnight Blizzard defence later this week.

The Timeline of the Breaches

20th-25th September 2023: 60k State Department Emails Stolen in Microsoft Breach
12th-25th January 2024: Microsoft breached by “Nation-State Actors”
11th-14th February 2024: State-backed APTs are weaponising OpenAI models
16th-19th February 2024: Microsoft admits to security issues with Azure and Exchange servers.

Date/Month	Breach Type	Affected Service/Area	Source
February 2024	Zero-day vulnerabilities in Exchange servers	Exchange servers	Microsoft Security Response Center blog
January 2024	Nation State-sponsored attack (Russia)	Email accounts	Microsoft Security Response Center blog
February 2024	State-backed APTs are weaponising OpenAI models	Not directly impacting MS services
July 2023	Chinese Hackers Breach U.S. Agencies Via Microsoft Cloud	Azure	The New York Times, Microsoft Security Response Center blog
October 2022	BlueBleed Data Leak, 0.5 Million user data leaked	User Data
December 2021	Lapsus$ intrusion	Source code (Bing, Cortana)	The Guardian, Reuters
August 2021	Hafnium attacks Exchange servers	Exchange servers	Microsoft Security Response Center blog
March 2021	SolarWinds supply chain attack	Various Microsoft products (indirectly affected)	The New York Times, Reuters
January 2020	Misconfigured customer support database	Customer data (names, email addresses)	ZDNet

This is a high-level summary of breaches and successful hacks that got reported in the public domain and picked up by tier 1 publications. There are at least a dozen more in the period, some are of negligible impact, and others are less probable

Introduction:

Today, The digital landscape is a battlefield, and even tech giants like Microsoft aren’t immune to cyberattacks. Understanding recent breaches/incidents and their root causes, and effective defence strategies is crucial for Infosec/IT and DevSecOp teams navigating this ever-evolving threat landscape. This blog post dives into the security incidents affecting Microsoft, analyzes potential attack paths, and equips you with actionable defence plans to fortify your infrastructure/network.

Selected Breaches:

January 2024: State actors, purported to be affiliated with Russia leveraged password spraying and compromised email accounts, including those of senior leadership. This highlights the vulnerability of weak passwords and the critical need for multi-factor authentication (MFA).
January 2024: Zero-day vulnerabilities in Exchange servers allowed attackers to escalate privileges. This emphasizes the importance of regular patching and prompt updates to address vulnerabilities before they’re exploited.
December 2021: Lapsus$ group gained access to source code due to misconfigured access controls. This underscores the importance of least-privilege access and regularly reviewed security configurations.
Other incidents: Supply chain attacks (SolarWinds, March 2021) and data leaks (customer database, January 2020) demonstrate the diverse threats organizations face.

Attack Paths:

Understanding attacker motivations and methods is key to building effective defences. Here are common attack paths:

Social Engineering: Phishing emails and deceptive tactics trick users into revealing sensitive information or clicking malicious links.
Software Vulnerabilities: Unpatched software with known vulnerabilities offers attackers an easy entry point.
Weak Passwords: Simple passwords are easily cracked, granting access to accounts and systems.
Misconfigured Access Controls: Overly permissive access rules give attackers more power than necessary to escalate privileges and cause damage.
Supply Chain Attacks: Compromising a vendor or partner can grant attackers access to multiple organizations within the supply chain.

Defence Plans:

Building a robust defense requires a multi-layered approach:

Patch Management: Prioritize timely patching of vulnerabilities across all systems and software.
Strong Passwords & MFA: Implement strong password policies and enforce MFA for all accounts.
Access Control Management: Implement least privilege access and regularly review configurations.
Security Awareness Training: Educate employees on phishing, social engineering, and secure password practices.
Threat Detection & Response: Deploy security tools to monitor systems for suspicious activity and respond promptly to incidents.
Incident Response Planning: Develop and test a plan to mitigate damage, contain breaches, and recover quickly.
Penetration Testing: Regularly test your defenses by simulating real-world attacks to identify and fix vulnerabilities before attackers do.
Network Segmentation: Segment your network to limit the potential impact of a breach by restricting access to critical systems.
Data Backups & Disaster Recovery: Regularly back up data and have a plan to restore it in case of an attack or outage.
Stay Informed: Keep up-to-date on the latest security threats and vulnerabilities by subscribing to security advisories and attending industry conferences.

Conclusion:

Cybersecurity is an ongoing battle, but by understanding the tactics employed by attackers and implementing these defence strategies, IT/DevOps admins can significantly reduce the risk of breaches and protect their networks and data. Remember, vigilance and continuous improvement are key to staying ahead of the curve in the ever-evolving cybersecurity landscape.

Disclaimer: This blog post is for informational purposes only and should not be considered professional security advice. Please consult with a qualified security professional for guidance specific to your organization or mail me for an obligation free consultation call.

References and Further Reading:

Feb 2024 Exchange Breach – https://www.spiceworks.com/it-security/vulnerability-management/news/azure-microsoft-exchange-servers-active-exploitation-hackers/
Feb 2024 Exchange incident – https://techreport.com/news/microsoft-azure-hit-with-the-largest-data-breach-in-its-history-hundreds-of-executive-accounts-compromised/
State Actors weaponising LLMs – https://cyberscoop.com/openai-microsoft-apt-llm/
September 2023: State Dept email leak – https://www.reuters.com/world/us/chinese-hackers-stole-60000-emails-us-state-department-microsoft-hack-senate-2023-09-27/
Proofpoint Article https://www.proofpoint.com/us/blog/cloud-security/community-alert-ongoing-malicious-campaign-impacting-azure-cloud-environments
Microsoft Security Response Center resources:
- Security Response Center blog: https://msrc.microsoft.com/blog/
- Security Update Guide: https://msrc.microsoft.com/update-guide

Why Startups Need To Architect Cloud Agnostic Products

By Ramkumar Sundarakalatharan | November 26, 2023 | Comments 0 Comment

Nobody plans to leave AWS in the startup world, but as they say, “sh** happens.”

As engineers, when we write software, we’re taught to keep it elegant by never depending directly on external systems. We write wrappers for external resources, we encapsulate data and behaviour and standardise functions with libraries.

But, When it comes to the cloud… “eerie silence”

Companies have died because they needed to move off AWS or GCP but couldn’t do it in a reasonable and cost-effective timeline.

We (at Itilite) had a close call with GCP, which served as our brush with the fire. Google had arguably one of the best Distance Matrix capabilities out there. It was used in one of our core logic and ML models. And on one fine Monday afternoon, I have to set up a meeting with my CEO to communicate that we will have to spend ~250% more on our cloud service bill in about 60 days.

Actually, google increased the pricing by 1400% and gave 60 days to rewrite, migrate, move out or perish!

The closest competitor in terms of capability was DistanceMatrix and a reliable “Large” player was Bing. But, both left a lot for in the “Accuracy”. So, for us, the business decision was simple: make the entire product work in “Reduced Functionality” mode for all or start differential pricing for better accuracy! In either case, those APIs must be rewritten with a new adaptor.

It is not an enigma why we do this. It’s simple: there are no alternatives, there is no time to GTM, But maybe there is. I’ll explain why you should take cloud-agnostic architecture seriously and then show you what I do to keep my projects cloud-agnostic.

Cloud Service Rationalisation

The prime reason you should consider the ability to switch clouds and cloud services is so you can choose to use the cloud service that is price and performance-optimized for your use case.

When I first got into serverless, we wrote a transformative API on Oracle Cloud (Bcoz we were part of their Accelerator Program and had a huge credit.) but it fed part of the data that the customer-facing API relied on.

No prize for guessing what happened?

It was a horrible mistake. Our API had an insane latency problem. Cold start requests added additional latency of at least 2 seconds per request. The AWS team has worked hard to build a service that can do things that GCP’s Cloud Functions simply can’t, specifically around cold starts and latency.

I had to move my infrastructure to a different service and a revised network topology.

Guess we would have learned the problem by now, but as we will find out, we did not.

This time it was a combination of Kafka and the AWS Lambda that created an issue. We had relied on Confluent’s connectors for much of the workload interfaces and had to shell out almost $1000 per month per connector!

Avoiding the Cloud Provider Killswitch

Protect Your Business from Unexpected Termination

As a CXO, you may not be aware that cloud providers like AWS, GCP, and Azure reserve the right to terminate your account and destroy your infrastructure at any time, effectively shutting down your business operations. While this may seem like an extreme measure, it’s important to understand that cloud providers have strict terms of service that can lead to account termination for a variety of reasons, even if you’re not engaged in illegal or harmful activities.

A Chilling Example

I recently spoke with a friend who is the founder of a fintech platform. He shared a chilling incident that highlights the risks of relying on cloud providers. His team was using GCP’s Cloud Run, a container service, to host their API. They had a unique use case that required them to call back to their own API to trigger additional work and keep the service active. Unfortunately, GCP monitors this type of behaviour and flags it as potential crypto-mining activity.

On an ordinary Sunday, their infrastructure vanished, and their account was locked. It took them six days of nonstop effort to migrate to AWS.

Protect Your Business

This incident serves as a stark reminder that any business operating on cloud infrastructure is vulnerable to unexpected termination. While you may not be intentionally engaging in activities that violate cloud provider terms of service, it’s crucial to build your infrastructure with the possibility of termination in mind.

Here are some key steps you can take to protect your business from the cloud provider killswitch:

Read and understand the terms of service for each cloud provider you use.
Choose a cloud provider that aligns with your industry and business model.
Avoid relying on a single cloud provider.
Have a backup plan in place.
Regularly review your cloud usage and ensure compliance with cloud provider terms of service.

By taking these proactive measures, you can significantly reduce the risk of your business being disrupted by cloud provider termination and ensure the continuity of your operations.

Unleash the Power of Free Cloud Credits

For early-stage startups operating on a shoestring budget, free cloud credits can be a lifeline, shielding your runway from the scorching heat of cloud infrastructure costs. Acquiring these credits is a breeze, but the way most startups build their infrastructure – akin to an unbreakable blood oath with their cloud provider – restricts them to the credits granted by that single provider.

Why limit yourself to the generosity of one cloud provider when you could seamlessly switch between them to optimize your resource allocation? Imagine the possibilities:

AWS to GCP: Upon depleting your AWS credits, you could effortlessly migrate your infrastructure to GCP, taking advantage of their generous $200,000 credit offer.
Y Combinator: As a Y Combinator startup, you’re entitled to a staggering $150,000 in AWS credits and a mind-boggling $200,000 on GCP.
AI-Powered Startups: If you’re developing AI solutions, Azure welcomes you with open arms, offering $300,000 in free credits to fuel your AI models on their cloud.

By embracing cloud-agnostic architecture, you unlock the freedom to switch between cloud providers, potentially saving you a significant $200,000 upfront. Why constrain yourself to a single cloud provider when cloud-agnosticism empowers you to navigate the cloud landscape with flexibility and cost-efficiency?

Building Resilience: The Importance of Cloud Redundancy

In the ever-evolving world of technology, no system is immune to failure. Even industry giants like Silicon Valley Bank can outright disappear over a weekend or AWS’ main Datacenter can go offline due to a power fluctuation, highlighting the importance of proactively safeguarding your business operations.

Imagine the potential financial impact of a 12-hour outage on AWS for your company. The costs could be staggering, not only in lost revenue but also in reputational damage and customer dissatisfaction or even potential churn.

This is where cloud redundancy comes into play. By running parallel segments of your platform on multiple cloud providers, such as AWS and GCP, you’re essentially creating a fail-safe mechanism.

In the event of an outage on one cloud platform, the other can seamlessly pick up the slack, ensuring uninterrupted service for your customers and minimizing the impact on your business. Cloud redundancy is not just about disaster preparedness; it’s also about optimizing performance and scalability. By distributing your workload across multiple cloud providers, you can tap into the unique strengths and resources of each platform, maximizing efficiency and responsiveness.

In our case, we run the OCR packages, SAML, and Accounts service on Azure, our core “Recommendation engine” and “Booking Engine” on AWS. Yes, having a multi-cloud will involve initial costs that might be prohibitive, but in the long run, the benefits will far outweigh the costs.

Cloud Cost Negotiation: A Matter of Leverage

In the realm of business negotiations, the ultimate power lies in the ability to walk away. If the other party senses your lack of alternatives, they gain a significant advantage, effectively holding you hostage. Cloud cost negotiations are no exception.

Imagine you’ve built a substantial $10 million infrastructure on AWS, heavily reliant on their proprietary APIs like S3, Cognito, and SQS. In such a scenario, walking away from AWS becomes an unrealistic option. You’re essentially at their mercy, accepting whatever cloud costs they dictate.

While negotiating cloud costs may seem insignificant to a small company, for an organization with $10 million of AWS infrastructure, even a 3% discount translates into substantial savings.

To gain leverage in cloud cost negotiations, you need to establish a credible threat of walking away. This requires careful planning and strategic implementation of cloud-agnostic architecture, enabling you to seamlessly switch between cloud providers without disrupting your operations.

Cloud Agnosticism: Your Negotiating Edge

Cloud-agnostic architecture empowers you to:

Diversify your infrastructure: Run your applications on multiple cloud platforms, reducing reliance on a single provider.
Reduce switching costs: Design your infrastructure to minimize the effort and cost of migrating to a new cloud provider.
Strengthen your negotiating position: Demonstrate to cloud providers that you have alternative options, giving you more bargaining power.

By embracing cloud-agnosticism, you transform from a captive customer to a savvy negotiator, capable of securing favorable cloud cost terms.

Unforeseen Challenges: The Importance of Cloud Agnosticism

In the dynamic world of business, unforeseen challenges (and opportunities) can arise at any moment. We often operate with limited visibility, unable to predict every possible scenario that could impact our success. Here’s an actual scenario that highlights the importance of cloud-agnostic architecture:

Acquisition Deal Goes Through

This happened with One of my previous organisations, we tirelessly built this company from the ground up. Our hard work and dedication paid off when a large SaaS Unicorn approached us with an acquisition proposal.

However, during the due diligence, a critical issue emerged: Our company’s infrastructure was entirely reliant on AWS. The Acquiring company had a multi-year multi-million dollar deal with Azure and the M&A team made it clear that unless our platform can operate on Azure, the deal is off the table!

Our team faced the daunting task of migrating the entire infrastructure to Azure within a limited timeframe and budget. Unfortunately, the complexities of the migration proved time-consuming and the merger took 5 months to complete and the offer was reduced by $2 million!

The Power of Cloud Agnosticism

This story serves as a stark reminder of the risks associated with a single-cloud strategy. Had our company embraced cloud-agnostic architecture, we would have possessed the flexibility to seamlessly switch between cloud providers, potentially leading to a bigger exit for all of us!

Cloud-agnostic architecture offers several benefits:

Reduced Vendor Lock-in: Avoids dependence on a single cloud provider, empowering you to switch to more favourable options based on your needs.
Improved Negotiation Power: Gains leverage in cloud cost negotiations by demonstrating the ability to switch providers.
Increased Resilience: Protects your business from disruptions caused by cloud provider outages or policy changes.
Enhanced Scalability: Enables seamless expansion of your infrastructure across multiple cloud platforms as your business grows.

Embrace Cloud Agnosticism for Business Continuity

In today’s ever-changing technological landscape, cloud-agnostic architecture is not just a benefit; it’s a necessity for businesses seeking long-term success and resilience. By adopting a cloud-agnostic approach, you empower your company to navigate the complexities of the cloud landscape with agility, adaptability, and cost-efficiency, ensuring that unforeseen challenges don’t derail your journey.

My Solution

Here’s what I do about it, now after the lessons learnt. I use Multy. Multy is an open-source tool that simplifies cloud infrastructure management by providing a cloud-agnostic API. This means that developers can define their infrastructure configurations once and deploy them to any cloud provider without having to worry about the specific syntax or nuances of each cloud platform. While Multy provides an abstraction layer for deploying cross-cloud environments, you will also need to incorporate cloud-environment agnostic libraries to really make a difference.

Introduction: Dependency Dangers in the Developer Ecosystem

Faster Development, Shorter Diligence: A Security Conundrum

Malicious Package Techniques: A Deeper Dive

Timeline of Incidents: Malicious Packages in the Spotlight

The Impact: Scope of Compromise

Real-world Impact: Consequences of Malicious Packages

Fabrice: A Case Study in Typosquatting

Lessons Learned: Importance of Proactive Security Measures

Prevention Strategies: Staying Safe from Malicious Packages

Software Security: Embedding Security in the Development Lifecycle

Key Components of SSDLC

Deep Dive into Technical Details

Best Practices for Secure Dependency Management

Conclusion

References & Further Reading

Introduction

Background

What Went Wrong and How the Vulnerability Manifested

Learning from Similar Failures in the Fintech Industry

Key Statistics in the Fintech Compliance Landscape

Recommendations for Strengthening Compliance and Security Controls

Conclusion

Further Reading and References

Impact on the Average Software Developer

Open Source vs. Open Governance: A Crucial Distinction

Looking Ahead: Open Source as a Business Strategy

Further Reading:

References:

The Curious Case of the Founding CTO

The Business Acumen Gap

The Perception of Arrogance

Failure to Translate Technology into Business Outcomes

Lack of Proactive Communication and Risk Management

The Statistics Behind the Trend

Real-World Examples: CTOs Who Fell from Grace

The Path Forward for Aspiring CTOs

Conclusion

References: & Further Reading

The Initial Phase: Technical Mastery and Hands-On Development

The Transition: From Builder to Leader

The Skill Set Gap

Serial Entrepreneurs: Experience Matters

Learning from Experience

The Burnout Factor

Strategic Decisions and Stakeholder Management

Conclusion: The Path Forward

1. Introducing the Amazing People from Palantir

Key Figures and Their Ventures

2. Engineers Make Better Founders in the Tech Industry

3. Market Penetration and Success of Palantir Alumni

4. Engineers vs. Consultants: A Compelling Argument

Conclusion

References & Further Reading:

Champions of the Free Agent: A Rising Tide Lifts All Boats

The Employer’s Lament: Protecting the Crown Jewels

The Nuance: Not All Non-Compete Clauses Are Created Equal

The Future of Work: A Brave New World?

The Timeline of the Breaches

Introduction:

Selected Breaches:

Attack Paths:

Conclusion:

References and Further Reading:

Cloud Service Rationalisation

Avoiding the Cloud Provider Killswitch

Protect Your Business from Unexpected Termination

Unleash the Power of Free Cloud Credits

Building Resilience: The Importance of Cloud Redundancy

Cloud Cost Negotiation: A Matter of Leverage

Unforeseen Challenges: The Importance of Cloud Agnosticism

My Solution

References & Further Reading: