This is the summary of the book titled “Rumbles: A Curious History of the Gut” written by Elsa Richardson and published by Pegasus books in 2024. For anyone who has read Susie Flaherty’s “Gut Feelings: Microbiome and health”, the topic of intestinal heath might already be familiar. Elsa’s book takes on a journey of the impact of intestinal health over the centuries with its surprising influence on medicine, culture, and politics. Bodily processes such as the activities of the gut and microbiome defines the way people live, think, and govern and our understanding of this phenomenon has led to medical advancements, changes in cultural norms and sparked political movements. Modern technologies inhibit naturally paced, mindful eating and the drive to be productive has eaten away at our work-life balance. The gut can be a predictor of physical and mental health. Hunger and beliefs about digestion can drive social and political change.

The gut's influence on mental health has been a topic of debate throughout history. Initially, people viewed the gut with suspicion, with the Ancient Greeks using it to predict battle outcomes. In the Middle Ages, the gut was seen as a potential source of demonic possession, leading to mental and spiritual chaos. Medical figures like James Johnson connected patients' mental despondency to toxins in their bowels. However, some individuals, like George Cheyne, believed that diet directly influences emotions and mental states. Societal rules about diet and manners have been used to maintain social order and mental and physical well-being. The aim of regulating the gut was to maintain order, both socially and emotionally. By the late 17th century, etiquette books dictated the proper use of utensils and conversational practices, labeling those who followed these rules as "civilized" and those who did not as "savage."

Scientists have studied digestion for centuries to understand deeper aspects of human existence. The digestive process involves the coordination of various organs, enzymes, acids, and muscles. In the 19th century, French-Canadian voyageur Alexis St. Martin's accident allowed Dr. William Beaumont to observe the digestive process, leading to a new understanding of gastric juice and its role in digestion. Modern technologies have inhibited naturally paced, mindful eating, with the gut-brain connection being a significant factor. Avicenna, the founder of modern medicine, argued that the digestive system was designed to store waste and allow humans to focus on higher intellectual pursuits. However, modern distractions like smartphones have led to overeating and obesity, highlighting the need for mindfulness and avoiding multitasking during meals. The push to be productive has eroded people's ability to establish a healthy work-life balance, with pre-packaged meals like sandwiches highlighting the pressures of modern capitalism. Lunch became the barometer for how modern working life affects human health. British unions started to demand the introduction of workplace canteens to provide healthier, more structured meal breaks. British employers introduced canteens during World War 1 for reasons of boosting productivity albeit not for worker well-being.

The history of sanitation and human excrement management reveals how societies have struggled to control the consequences of digestion. In the mid-19th century, London's waste problem led to the installation of public toilets and the construction of a sewer network. Proper disposal of waste became linked to civilization, and hygiene and cleanliness bolstered social hierarchies. The gut can be a predictor of physical and mental health, with studies showing that gut bacteria can forecast potential health outcomes. Health reformers like William Arbuthnot Lane and John Harvey Kellogg argued that modern city life damaged people's digestion, causing constipation. Today, concerns about gut health remain, with concepts like "leaky gut syndrome" and the popularity of probiotics and fermented foods reflecting both old fears and new discoveries about digestion's impact on overall health. A better understanding of the human microbiome has led to treatments like fecal microbiota transplants, which can treat conditions like Crohn's disease, multiple sclerosis, and depression.

Hunger and beliefs about digestion can drive social and political change, serving as a means of bodily control. In 18th-century France, the Digesting Duck, a mechanical creature, was hailed as proof of France's modernity and commitment to scientific progress. Hunger and hunger can drive national upheaval, as seen in post-revolutionary France. Dieting, a concept popularized by figures like William Banting, reinforces societal norms and weight control. Dieting has also played a role in gender politics, reinforcing stereotypes about women's frailty and men's strength. However, suffragettes in the early 20th century reversed harmful gender notions by using their guts as political tools.

#Codingexercise: CodingExercise-12-31-2024.docx 

 The preceding articles on security and vulnerability management mentioned that organizations treat the defense-in-depth approach as the preferred path to stronger security. They also engage in feedback from security researchers via programs like AI Red Teaming and Bug Bounty program to make a positive impact to their customers. As they evaluate the ROI for their efforts, Bug Bounty and penetration testing have proved of exceptional value. Bug Bounty is a relatively small investment for an organization that can measure the ROI in terms of 1. The absence of incidents or breaches, 2. Risk assessment, 3. Financial savings estimated from avoiding risk or avoiding breaches and 4. Agility and speed of security teams responsiveness, 5. Discount on cyber insurance, and 6. Estimated savings of reputational or customer-related impacts as a result of a security program. Penetration testing, on the other hand, tends to identify systemic or architectural vulnerabilities such as cryptographic weakness or secure design issues which are essential for long-term security but may not be immediately apparent to attackers. It is a bit ironic that organizations discover critical bugs using pentests during the deployment phase. Pentest-as-a-service aka PTaaS is gaining grounds as organizations shift to community-driven. SaaS based models that are more flexible, grant access to a more diverse pool of vetted security researchers, and wider coverage than traditional methods. It is common to discover a dozen vulnerabilities per engagement. Together with bug bounty programs and pentests, organizations gain comprehensive security coverage and achieve greater ROI than before albeit measuring ROI remains a challenge.

In contrast, there is a new metric in the industry that is called ROM or Return on Mitigation that is fast gaining acceptance. It compares the cost of mitigating risks to the potential financial losses from cyber incidents, providing a clear metric to measure how security efforts protect businesses from costly breaches. This nuanced view offers both qualitative and quantitative benefits as it articulates factors such as restoring compromised systems, lost revenue due to downtime legal and regulatory penalties, and damage to public trust and reputation.

ROM= (Anticipated Breach Cost)/(Mitigation Cost)

While ROI is similar to calculating profit percentage in its inspiration for an overall metric for the outcome, the factors that ROM represents are not covered by ROI alone and it highlights the importance of risk management and the overall benefits of security measures.

As with all reports, a human powered security program is needed internally to evaluate the priority and the severity of the reports’ findings and use the data to better understand and protect against malicious hackers. The program draws attention from the whole of the organization and not just the security team. The unique ability of the skilled security professionals to mitigate complex security vulnerabilities and deliver context-driven value, coupled with ROM, makes a compelling business case.

Reference: previous articles

#codingexercise: CodingExercise-12-29-2024.docx

 Computer Software: This is one of the most impactful of the industry sectors. The products in the high-tech industry serve a variety of users. A vulnerability or defect in one can impact many users. For example, on July 19th, 2024, CrowdStrike released a faulty software update that caused a widespread outage which resulted in five hundred-million-dollar loss for a single airline. The use of open-source libraries and third-party dependencies only exacerbates the risks. Enforcing in-depth security privilege management and enforcement across Windows, Linux and MacOS, each with its own security model only adds to the challenges. Noting that while privilege escalation is slightly lower than previous years but inconsistent security check is pervasive in this sector, the security experts recommend ensuring access is limited to necessary resources on a least-privileged basis and granted only to specific roles. This should be paired with an Intrusion detection system or intrusion prevention systems using alerts and actions. All components of the software products must be regularly patched.

Internet and online services: This is similar to that of the computer software sector except that the updates and releases in this sector occur at a faster rate than anywhere else. The push to scale quickly and roll out new features makes it tough to enforce strict access controls consistently. The speed and innovation allow vulnerabilities to slip through. The recommendations from the security experts call for improved authentication mechanisms such as MFA and re-authentication in addition to the least-privileged RBAC authorization methods as earlier.

Crypto and Blockchain: Organizations in this sector stand out for their many outliers by nature because of their unique offerings and operations. While they build rigorous security practices from the start, they tend to overlook the business logic discrepancies that lay waste to the security mechanisms in place. This high-rate of business logic errors is the highest across industry sectors. When the business models become complex, it becomes tough to eliminate edge cases or unintended uses. For example, smart contracts which run on blockchain and execute automatically are immutable once deployed which also implies that certain errors cannot be undone. Since they cause financial loss, they are prime targets for bug bounty hunters. The recommendations from security experts include test-driven development of business logic and integration testing to cover various scenarios and edge cases and the authorization of business logic on a least privilege basis.

Travel and Hospitality: This industry relies heavily on marketing and often works in partnership with other agencies that require OAuth redirects and referrals. Attackers may exploit open redirect vulnerabilities by tampering with the links to lead users to malicious sites. The exploitations can work their way through the least secured sites to the highly privileged ones via referrals and integrations that is the de facto in this sector. The recommendations from the security experts include provide clear warning for all redirects, notifying users on exit from and entry to a site and sanitizing the user inputs and allow listing based on the client IPs or other user side information.

Across these and the industry sectors in the earlier article, organizations spend a lot of their budget on known vulnerabilities types including indirect object references vulnerabilities that have potential for unauthorized access, modification, or deletion of sensitive information. The security experts community recommends that organizations monitor report volume, payout levels, and researcher feedback to adjust budgets over time as their security programs evolve.

Reference: previous article.

#codingexercise: CodingExercise-12-29-2024.docx

 This is a summary of the book titled “Reaching for the stars” written by Jose M Fernandez and published by Center Street in 2012. This is an inspiring story of a migrant farm worker’s son turned NASA Astronaut. As he recounts, his hardworking family kept him focused on education and his future. He calls his parents role models and put to best use their belief that he belong in the school and not the farm. He earned his engineering degrees, worked in prestigious Lawrence Livermore Labs, the US Department of Energy, and then NASA. In his journey, he had to surmount several rejections and prejudice. His heartwarming book is an illustration of American dream come true.

José Hernández, born in 1962, is inspired by his immigrant parents, Salvador and his friend, who were both undocumented migrant farmworkers in the San Joaquin Valley in California. Salvador's father, Salvador, had many dreams and goals at a young age, but he never reached third grade. At 15, Salvador and his friend traveled to the United States with a friend, where they worked as undocumented migrant farmworkers. Hernández's youngest child, José M., was born in August 1962.

Hernández's father insisted that everyone in the world is the same, and he focused on his studies, learning math and watching Star Trek. His family's financial struggles led him to pursue his dream of becoming an astronaut, inspired by the first moon landing and the final Apollo mission, Apollo 17. Hernández's parents' resilience and determination inspired him to pursue his dreams and make a difference in the world.

As a poor and brown student from Mexico, he was influenced by his parents' belief in the importance of education for his future. His parents, Salvador and his wife, believed that their children should be in school rather than working in the fields. Hernández's parents made hard choices without knowing if their children would seize the opportunities available. Eventually, he entered middle school and made friends in a rough neighborhood. By 1980, he was ready to graduate and move on to university. He heard about Dr. Franklin Chang Díaz, a poor boy from Costa Rica who studied engineering at MIT and became NASA's first Latino astronaut candidate. With the help of a teacher, Hernández received a scholarship to study engineering at the University of the Pacific. He worked multiple jobs throughout college, believing education was the path to his future. Hernández applied for an internship at the Lawrence Livermore National Laboratory, which offered him a job through a program for minority students funded by the Office of Equal Opportunity.

Hernández graduated from the University of the Pacific in 1985 and began his career at the Lawrence Livermore National Laboratory in Livermore, California. He worked on a nuclear X-ray laser project as part of President Ronald Reagan's Strategic Defense Initiative. After the Soviet Union's end in 1991, Hernández applied to become an astronaut but was initially rejected. However, he fell in love with a woman he would marry and pursued new opportunities.

NASA selected Hernández as an astronaut after the Columbia tragedy in 2003. Hernández joined the team providing technical support for the investigation into the tragedy. NASA began selecting new astronaut candidates again in fall 2003, and Hernández was accepted after a two-year training process. Astronaut training involves acquiring new skills, such as survival underwater, co-piloting T-34C airplanes, and studying the space shuttle's systems in classrooms and simulators.

He achieved his lifelong dream of launching a space shuttle in 2009. Despite facing challenges due to weather conditions, the flight was launched without incident. Hernández installed computers, helped inspect the thermal protection system on the wings, and docked with the International Space Station (ISS). He hoped his story would inspire others to leave their own footprints and reach their own stars. After completing systems tests and preparations, Hernández's team returned to Earth, despite an extra day due to bad weather at the Kennedy Space Center. The view from space was spectacular, and on day 15, the shuttle burst through clouds at 26,000 feet, landing with the astronauts applauding.

#Codingexercise Codingexercise-12-28-2024.docx

 

Breaches in software security exploiting vulnerabilities have jumped almost double from the previous year. The defense-in-depth section of this article series is the preferred path to stronger security. These are some of the security and vulnerabilities assessment across specific industries:

1.      Financial Services:  This is one of the most targeted and regulated sectors. Standards like GPDR and PCI-DSS incentivize researchers to flag potential issues which lead to a high number of vulnerability report filings. Since this sector usually has assets that comprise of complex, multi-layered applications that manage PII data, the most prevalent form of vulnerabilities reported are insecure direct object reference vulnerabilities, especially those that involve money transfers and heighten the risk of IDOR exploits when access controls are weak. Incorrect configuration and a high volume of sensitive data handling are the main culprit. The recommendations from security experts, therefore, include proper authorization, avoiding functions that automatically bind a client’s input into variables, objects, or properties, and instead mapping random unique customer-facing identifiers to hidden actual objects on the server side.

2.      Government: The agencies for the Government encounter a much higher rate of XSS vulnerability reports than the industry average, which is likely due to numerous, even legacy and often sprawling web environments with inconsistent security practices, making some more vulnerable than others. The slower pace of updates in the government IT further increases their exposure and risks. The recommendations from security experts are in line with these characteristics and include treating all input as malicious, encoding output that depends on context and implementing a content-security policy to restrict the sources of executable scripts and limiting the potential of XSS attacks.

3.      Telecoms: These organizations manage vast networks with millions of subscribers, both individuals and enterprises and their devices. Improper authentication methods due to misconfigurations and complex infrastructure plagues this sector. Outdated systems and encryption standards affect APIs and UIs. The recommendation from security experts is to use robust and secure authentication methods such as strong passwords, MFA, secure storage, account lockout mechanisms, managing session and authentication tokens by generating random ones, implementing proper session expirations, and avoiding disclosure of sensitive information in API and UI responses, errors, and logs.

4.      Retail and E-commerce: Cybercrime is the primary manifestation of security vulnerabilities in this sector which gets the most information disclosure vulnerabilities reported among all sectors. Due to the vast amounts of sensitive data handling, dynamic websites and applications, and flawed data management practices, the number of end-users affected runs into thousands. The recommendation from security experts is to avoid exposing unnecessary data and ensuring that sensitive data is protected both at rest and in transit. Users and processes must be granted access following the principle of least privilege

5.      Transportation: Many transportation organizations rely on legacy systems developed before modern security practices became widespread. So, they display most of the OWASP top 10 vulnerabilities including improper input validation and SQL injection. The functionalities of booking, navigation, and maintenance are poorly integrated and often with third-party vendors. Therefore, security hardening is inconsistent. The recommendations from security experts are to implement prepared statements in SQL with parameterized queries, validating all user input and implementing web application firewalls to detect and block these injection attacks.

6.      Media and Entertainment:  These organizations encounter the highest number of reports for misconfigurations. Since this industry requires content to be shared and made available worldwide, it relies on CDNs and streaming platforms to distribute this content. Improper security settings and access control compromise their content which is produced at a fast rate. The recommendation from security experts is to implement automated configuration management tools, create standardized patterns across content types, regularly performing security audits, and implementing least-privilege policies.

Reference: Previous articles

#codingexercise: CodingExercise-12-27-2024.docx

 From the previous articles on AI security and safety and organizations efforts for AI Red Teaming, the defense-in-depth strategy was discussed from the organization’s perspectives. It is also important to gather the perspectives of external security researchers as shared out by them in online publications and company disclosed feedback. Security research is a full-time career and one that requires constant upskilling. Many of them spend twenty hours a week hacking. While earning money is a key motivator, hacking itself helps them to both improve and advance their career. It is important to highlight the security researcher community’s commitment to making a positive impact to organizations and end-users.

Initially most hacking activity focused on web applications as fortified by the development of OWASP Top 10 list, but the landscape is shifting to more products and technologies including chatbots. As more security researchers include AI products in their testing, they still need to prioritize their picks within the emerging products. About 88% of security researchers are targeting web applications, more than half target web APIs, and about a third target mobile applications. These numbers give an indication for the requirement and current participation in emerging applications with AI models.

Security researchers excel in reconnaissance and manual exploitation that automated scanners can’t match. As they uncover unsecured or overlooked domain or spot a unique vulnerability from an outsider’s view or perform exploit chaining where initial gains can lead to significant breaches, they are blending their strengths with GenAI for high-impact exploits. For example, security researchers are using GenAI to close the gap between the discovery of an exploit and a detailed higher-quality report of the same.

The trouble with scanners is that there are a lot of false positives and noise, but a report filed by a security researcher gets attention because of the information and context and organizations strive to provide response following an expected timeline for acknowledgement, triage, and resolution. The stronger the relationship is between the organization and the security researchers, the more impactful the program becomes. Prompt response to security researchers and with respect and professionalism even when a report is invalid or duplicate, encourages this ongoing collaboration. Bounties top the list to draw them in and low bounties often discourage them. As they juggle companies that they work with, excellent communication and safe harbor legal protections retain them.

Researchers often talk about the bounty table, but they invest in programs that give back to them in the way the organizations communicate and the time to fix. Beyond this, they value strong relationships with security teams and are discouraged by negative peer reviews. This underscores how significant the perception is for attracting security researchers for an organization to scale a program effectively.

 

AI for security

The ways in which AI is used for Security Research and vulnerability management depends a lot on human expertise as much as the risk management in AI deployments and keeping it trustworthy for everyone. As industry struggles to catch up with AI improvements, the AI-based tools are often pitched one against another which is showing significant number of defects and bringing into question the quality of the tools. LLM-as-a-judge is one such example to evaluate AI models for security. Among the risks faced by organizations, the most notable ones are GenAI, supply chain/third parties, phishing, exploited vulnerabilities, insider threat, and nation-state actors in that order. While there is growing confidence in managing risks in AI deployments, the listing of GenAI as a top concern is reflected in the widespread use of GenAI. There are no standards but there is a growing perception that AI legislations will help enhance safety and security. Most organizations are already reaping benefits of GenAI in their operations, so the ability to defend against AI threats is catching up. In the high-tech sector, there is a deep understanding of the challenges in securing this emerging technology while in other industry sectors, there is more concern for reputational risks of AI.

Safety and security flaws in the AI products are being addressed with a practice called AI Red Teaming – where organizations invite security researchers for an external unbiased review. This is highly effective, and the benefits of cross-company expertise are valuable. The AI assets inventory must be actively managed to make the most use of this best practice. Organizations that are engaged in AI Red Teaming have discovered a common pattern in the common vulnerabilities in AI applications with a simple majority of those falling in AI safety defects. The remainder comprises business logic errors, prompt injection, training data poisoning and sensitive information disclosure. Unlike traditional security vulnerabilities, it is rather difficult to gate the reporting of defects and presents a different risk profile. This might explain why the AI safety defect category is dominating other categories.

Companies without AI and automation face longer response times and higher breach costs. Copilots have gained popularity among security engineers across the board for the wealth of information at their fingertips. Agents, monitors, alerts, and dashboards are being sought after by those savvy to leverage automation and continuous monitoring. Budgets for AI projects including security are blooming as specific investments become deeper while others are being pulled back after less successful ventures or initial experiments.

AI powered vulnerability scanners, for example, quickly identify potential weak points in a system and AI is also helpful for reporting. There is a lot of time saved by AI from streamlining processes and report writing. All the details are still included, the tone is appropriate, and the review is often easy. This allows security experts to focus on more complex and nuanced aspects of security testing.

#codingexercise: CodingExercise-12-25-2024.docx