How AI influences DevSecOps?

DevSecOps professionals have Artificial Intelligence (AI), security and automation as top priorities in most organizations. Both resources and data are veritable assets for guarding actions by actors and the degree to which an organization is invested in either determine the fine-tuning of the allocations within the pie-chart of priorities for these professionals. Most would use Agile methodologies to improve and secure their assets. AI would follow that in the list as it is still catching up on Software Development Lifecycle. Organizations realize that it is essential to adopt AI to avoid falling behind. The key challenges they face are security, safety, and experience. Others include privacy and data security, the right set of AI tools, upskilling requirements, and concerns about vulnerabilities. Although these challenges are not new, what makes it difficult for DevSecOps professionals, as cited in industry reports from reputed sources, is the low turnover in their population combined with a tendency to ramp up gradually. As such this discipline has room for improvement when compared to software development in customer-facing products.

DevSecOps are eager to adopt the Generative AI for its transformative potential. Many cite use cases in forecasting productivity metrics, identifying anomalies, vulnerabilities explanations and remediations, and chatbots for interactions. Machine data including telemetry unlike sensitive data like Personally identifiable information, are both voluminous and difficult to search without friendly operators and curated queries. As products, solutions and services for this data make AI more built-in to their offerings, the integration becomes even more complex than it was earlier, not to mention the eccentricities, nuances, and defects to overcome. Consequently, some in-house solutions to directly explore the data and respond to typical queries for preliminary investigation report comes in handy.

Most of the code for automation comes from open-source software libraries. Capabilities like a software bill-of-materials aka SBOM – a list of all the components, libraries and modules that make up an application are essential for maintaining the security of the software supply chain, especially as the amount of code pulled from open-source libraries increases. Unfortunately, SBOMs aren’t maintained as code sprawls the landscape. When it comes to hosting and executing logic in containers for scaling on demand, many fail to guard against their programmability interfaces such as web APIs by mitigating OWASP threats with request-parameter inspections and web-application firewalls. Dynamic application security testing, and fault injections-based testing are also insufficient. There has always been a cultural gap around security with DevSecOps professional often depending on development teams to resolve vulnerabilities defects. Many don’t even have the proper role-based access control.

A further list of AI safety and security practices is also available which puts the efforts required from DevSecOps professionals in perspective.

Reference: previous articles

 This is a summary of the book titled “Deeply responsible business: A global history of values driven leadership” written by Geoffrey Jones and published by Harvard UP, 2023. Global. The author is a Harvard professor who contends that business leaders and their companies can reimagine capitalism to be beyond profit seeking and prioritize social purpose and philanthropy. This is especially relevant now when there are many companies coming into new exploiting their wealth and position to manipulate politics and the law. This approach requires the company to demonstrate their stated values. History has shown that such reimagining has borne success. During the industrial revolution, some business leaders still valued human dignity more than anything else. Many business leaders outside the west became wealthy capitalists. A textile manufacturer in India helped build a better economy. After the second world war, US business leaders came to value social responsibility. Value-driven business demonstrate responsibility and better integrate into thriving communities. Social responsibility in business requires strong incentives. Strong values motivate responsible business leaders.

During the Industrial Revolution, some business leaders prioritized human dignity over profit. In Britain, workers faced stagnant wages, dangerous conditions, and child labor. Some employers believed that profits should not come at the expense of their impoverished workers. Textile manufacturer Robert Owen provided his employees with a community, schools, and cultural center, recognizing that improving their lives would benefit his company. Quakers in Britain were prominent entrepreneurs, running their own schools and apprenticeship programs. George Cadbury, heir to his father's chocolate manufacturing business, embraced religious and moral convictions, allowing workers to buy houses at cost and provide mortgages.

As industrialization spread across Western Europe and North America, a wealth gap had built up between the industrialized West and the rest of the world. Members of India's Parsi community excelled in responsible business and entrepreneurship, emphasizing the importance of improving people's lives. Indian industrial pioneer Jamsetji Nusserwanji developed modern cotton textile factories and became wealthy, but his company focused on serving its communities, including employee housing, healthcare, and education.

Before India's independence in 1947, the country faced social and economic challenges. Textile manufacturer Kasturbhai Lalbhai, from an affluent Jain merchant family, supported India's independence and played a pivotal role in developing the country. Lalbhai launched India's first dye manufacturing company with American technical and financial help, aiming to generate jobs in rural areas and create residential communities. He believed in the importance of social responsibility in business and the moral and spiritual responsibility of business leaders to improve their communities. After World War II, some US business leaders began to value social responsibility, such as George Romney, who promoted the Rambler as an alternative to larger cars. However, the compact market was taken away by cheaper cars like the Volkswagen Beetle in the early 1960s.

In the 1960s, a new generation of businesspeople emerged, bringing new social and cultural norms, and rejecting the gray establishment of the 1950s. This generation included hippies, rock music acolytes, Vietnam War protesters, environmentalists, and feminists. They were critical of capitalism and the existing relationship between business and society. Values-driven businesses emerged in fields that could facilitate social or environmental change, such as energy use and retailing. Entrepreneurs like John Mackey and Anita Roddick aimed to transform the beauty industry and society's perception of women. Responsible businesses like Sekem and Ambootia incorporated into thriving communities, adhering to Rudolf Steiner's global principles. Social responsibility in business requires strong incentives, and the availability of capital is the principal enabler. Responsible business leaders who turn to social and environmentally beneficial practices can shape the availability of capital and create incentives to invest. Environmental, Social, and Governance (ESG) investing is growing in global markets, but its practical relevance relies on voluntary information and can be easily distorted.

Responsible business leaders create products or services with social value, treating stakeholders with dignity and respect. They recognize business organizations as human social institutions and accept responsibility for employees, customers, and the natural world. These leaders value communities, provide dignified housing, educational opportunities, and cultural life, and improve people's well-being by improving life in their communities.

 Small and medium businesses aka SMBs are targets of cyberattacks and their strategies to cope with these threats are much different from those of enterprises. This article lists a few of them.

SMBs also hold valuable sensitive data such as employee and customer records, financial transaction information, intellectual property, and access to business finances and larger networks critical to their success. Cybercriminals recognize both the vulnerability and the value of SMBS. Among the different types of attacks on SMB, the common attacks include malware developed to manipulate or compromise target systems, malware free attacks that don’t leave artifacts and move laterally to compromise target systems, vulnerabilities in systems and applications that can be compromised to gain unauthorized access to computer systems, phishing and email based scams that impersonate credible people and organizations to steal credentials, compromised credentials in the form of stolen identity and account data, insider threats where employees become accomplices, and zero-days where new and unprecedented exploits are leveraged to mount planned and targeted attacks.

Traditional methods such as virus and malware detection based on signatures are no longer sufficient. In addition, penetration into the SMB assets can be leveraged for lateral movement and data exfiltration which significantly increases the loss. Data theft, ransomware, extortion and hacktivism are only some of the examples.

Strategies to counter these attacks include:

1. Understand the reality of cyberattacks: There are hundreds of adversary groups that launch cyberattacks. Sensitive data is always a prime target regardless of what business owns it. Antivirus and firewall are not sufficient. Sometimes breaches go undetected for hundreds of days. Costs for continuity and recovery can be so high that SMBs may not recover.

2. Implement basic cybersecurity hygiene practices. These include strong password policies, enforcing multi-factor authentications, performing regular backups of critical data, keeping current with security patches and updates, locking down cloud environments, implementing and testing threat detection and response, and securing your network.

3. Employee upskilling, education and training and regular assessments: Inform the employees of improvements to authentication channels and continuously test their responsiveness with asking them to identify fraudulent messages.

4. Overcoming limited resources and expertise: When expert resources seem out of reach, there can be automations and dedicated teams to set policies and monitor, respond to and stop attacks.

A managed detection and response service or solution may also be a best fit for your business.

 The previous article talked about bias in AI applications. This one covers some of the emerging trends in AI Applications.

First, the chatbots, generative AI and search applications will continue to leverage better, cheaper, and more purposeful Large Language Models aka LLMs. Those same LLMs also come in useful to create next generation eCommerce search and product discovery solutions to produce high-quality, hyper-personalized customer search results. According to Gartner, Generative AI and search bear a reciprocal relationship because the models used in the search are trained on domain datasets. Generative AI such as ChatGPT, on the other hand, is trained on large corpus. Therefore, they are used in combination. The highly-relevant and personalized search together with a conversational capabilities of a chatbot is immense power to both traditional use cases for shoppers as well as emerging uses cases for personalized campaigns for individuals but small and medium businesses struggle to realized that potential due to scale.

Second, social media is a valuable channel for establishing and building relationships with billions of consumers and getting them to consider products and brands by facilitating 1 to 1 personalization at scale is now possible via Generative AI. One specific demonstration of this is with A/B testing where entire campaigns and content can be generated and customers can leverage that to see more ads that better suit their taste.

Third, product catalogs can become more informative with GenAI with pages enticing customers to add the product to their cart. The multimodal nature of AI allows image, text, and other content types to be brought together assisting retailers with both informative and personalized product pages. When combined with databases like Mongo DB for its flexibility with hierarchy and labeling, these algorithms can leverage product attributes and make hyper personalized recommendations especially with new products that have little history.

Fourth, the site navigation application gets a whole new facelift which shores up losses from cart abandonment, lost sales, and customers. In addition, it facilitates dynamic navigation, filters and search experiences that are hyper-personalized to the individual customer. Site search is one of the primary use cases of search and as with the discussion of AI models, the results can be highly relevant.

Fifth, checkout and delivery that is frequently associated with past purchase behavior, current browsing session data, and real-time inventory levels can be improved by showcasing “others bought” or “style your purchase” upsells which is not only using collaborative filtering but embedded semantics to promote personalization.

Sixth, customer nurturing applications with review solicitations, loyalty and reward programs and generating word-of-mouth feedback provide a new level of personalization for the shoppers. This results in an improved site experience feeding back into the virtuous cycle of retail shopping.

One of the main challenges against all these applications is the overcrowding of relevant but useless suggestions and the way to fix it is to with intensive oversight, continuous monitoring and the best practices of AI safety and security.

 Mitigating Bias in AI applications:

Applications such as generative Artificial Intelligence aka GenAI, computer vision and Natural Language Processing aka NLP can find insights, make predictions, and streamline operations. But as these applications become more sophisticated in learning and reasoning, they are highly dependent on data used to train them. These data inevitably contain biases. Biased algorithms limit the potential of AI and lead to flawed or distorted model outputs that can negatively impact marginalized groups.

For example, the bias demonstrated by Chatbots has surfaced as follows:

Racial bias in salary recommendations: A Stanford Law School study found that chatbots like ChatGPT 4 and Google's PaLM-2 suggested lower salaries for job candidates with Black-sounding names compared to white-sounding names. For instance, a candidate named Tamika was recommended a $79,375 salary as a lawyer, while Todd was suggested $82,485 for the same position.

Hidden racial bias in language perception: While AI models tend to use positive words when directly asked about Black people, they display negative biases towards African American English. Users of this dialect were often associated with "low status" jobs like cook or soldier, while Standard American English users were linked to "higher status" jobs like professor or economist.

Gender bias in translations: ChatGPT was found to perpetuate gender stereotypes when translating between English and languages with gender-neutral pronouns. For example, it tended to assign "doctor" to men and "nurse" to women.

Cultural biases: A comparison between ChatGPT (US-based) and Ernie (China-based) showed that ChatGPT displayed implicit gender biases, while Ernie showed more explicit biases, such as emphasizing women's pursuit of marriage over career.

Socioeconomic biases: Researches use medical images as training data to recognize diseases and even while it is infused with human expertise to annotate the images, the amount of data available might not only be skewed by those who could afford to have their images taken but also by those who could afford but had no reachability to the diagnostic imaging or representation in its collection.

From these examples, bias can be tracked to “blind spots” in training data. And as it takes many forms such as selection, exclusion, prejudice, cognitive, confirmation, historical and availability biases, outcomes often disenfranchise groups of people. That is not the only risk though. Algorithms trained on biased data can falsely predict risk, negatively impact hiring, lending and more, expose existing societal prejudices, create mistrust across boundaries and even lead to fines in regulated environments. How data is collected, who collects it, whether it is wholesome in representation, and such others determine how biased the data is. More often than not, collection of data is from existing literature and these sources already demonstrate influences.

Diverse and Inclusive data sets are the biggest antidote to biases. AI models trained on a broad swath of sources do better to respond to queries from a vast group of people. As part of this strategy, methods to detect and mitigate biases in data and continuous refinement and updates to datasets are mandatory. Some of this can be realized by having a large network of data contributors, facilitation of peer reviews, multimodal data collection, medallion architecture curation, inclusive data sources and robust coverage, timestamped or versioned data, securing data at rest and in transit, least-privilege access control, ubiquitous reach to and from data, and facilitation of asset intake and metadata collection

 These are the steps for an Azure subscriber to expose an endpoint on Azure Front Door:

1. **Create an Azure Front Door Profile**: If you don't already have one, create an Azure Front Door Standard/Premium profile.

2. **Obtain a Custom Domain**: Purchase a custom domain from a domain provider or use an existing one. If your DNS domains are hosted on Azure, delegate the domain provider's DNS to Azure DNS.

3. **Create a CNAME DNS Record**: Create a CNAME record with your domain provider to point to the Front Door default frontend host. This maps your custom domain name to the Front Door default hostname.

4. **Map the Temporary afdverify Subdomain**: Map the temporary `afdverify` subdomain to verify domain ownership.

5. **Add the Custom Domain to Azure Front Door**: Go to the Domains pane of your Azure Front Door profile. Select "+ Add" to add a new domain.

6. **Validate the Custom Domain**: Choose the domain type (Non-Azure validated domain or Azure pre-validated domain). If it's a Non-Azure validated domain, manually enter the custom domain name.

7. **Associate the Custom Domain with Your Endpoint**: Associate the validated custom domain with your Azure Front Door endpoint.

8. **Verify the Custom Domain**: Ensure the custom domain is correctly associated and verify it through the Azure portal.

9. **Configure HTTPS (Optional)**: If you want to secure your custom domain with HTTPS, configure it by following the steps to enable HTTPS for your custom domain.

10. **Test the Configuration**: Test the setup by accessing your custom domain to ensure everything is working correctly.

 Problem statement: Given the root of a binary tree, check whether it is a mirror of itself (i.e., symmetric around its center).

Example 1:

                 1

           2 2

    3 4 4 3

Input: root = [1,2,2,3,4,4,3]

Output: true

Example 2:

                 1

           2 2

    null 3 null 3

Input: root = [1,2,2,null,3,null,3]

Output: false

Constraints:

The number of nodes in the tree is in the range [1, 1000].

-100 <= Node.val <= 100

/**

 * Definition for a binary tree node.

 * public class TreeNode {

 * int val;

 * TreeNode left;

 * TreeNode right;

 * TreeNode() {}

 * TreeNode(int val) { this.val = val; }

 * TreeNode(int val, TreeNode left, TreeNode right) {

 * this.val = val;

 * this.left = left;

 * this.right = right;

 * }

 * }

 */

class Solution {

    public boolean isSymmetric(TreeNode root) {

        List<Integer> serialized = new ArrayList<Integer>();

        InorderTraversal(root, serialized);

        return IsPalindrome(serialized);

    }

    public boolean isPalindrome(List<Integer> serialized) {

        int i = 0;

        int j = serialized.count() - 1;

        while (i < j) {

            if (serialized.getAt(i) != serialized.getAt(j)) {

                return false;

            }

            i++;

            j--;

        }

        return true;

    }

    public void InorderTraversal(TreeNode root, List<Imteger> serialized) {

        if (root == null) {

            serialized.Add(Integer.MinValue);

            return;

        }

        InOrderTraversal(root.left);

        serialized.Add(root.val);

        InOrderTraversal(root.right);

    }

}

#blogpost: https://1drv.ms/w/c/d609fb70e39b65c8/EcVxcTYDkE9Hro_eEthnuH8Bx-PIXIxbdNq2kXKuyr8TdA?e=a1ofbg