A key difference in the way cloud computing and on-premises security bugs are handled is creating a rift between researchers and cloud service providers.

First issued in 1999, Common Vulnerabilities and Exposures (CVE) entries are public notices that are issued when a security flaw is patched or made public. The entries contain details about a vulnerability and the possible consequences of exploit, as well as the name of the researcher who is credited with the discovery.

Intended to provide administrators with the necessary information for prioritizing and deploying patches, the CVE system was devised at a time when nearly all enterprise software was running on premises.

Enter cloud services in the 2010s. As the vendors themselves remotely host and manage the applications and data, there is no need for patches to be kicked out to end users.

"Our vulnerability research ecosystem comes from a time when virtually all versions of software were packaged and delivered to customers and executed independently on potentially millions of computers, and the goal has been to have all of those individual computers running uniform code with bug fixes," Cloud Security Alliance CEO Jim Reavis told SearchSecurity.

"With cloud you have millions of customers mashing up an infinite number of internal and SaaS applications and likely introducing a massive number of unreported vulnerabilities directly through compiled code and indirectly through the use of APIs."

Because of this, the CVE Numbering Authorities (CNAs) opt not to issue security vulnerabilities on cloud services with CVE designations, due to the fact that in many cases there simply is nothing for administrators or end users to do about the problem.

"One of the biggest differences for that community is who takes action," Dustin Childs, communications director of the Trend Micro Zero Day Initiative, said in an email.

"CVEs are designed to let recipients know that they may need to take action to fix or mitigate. In the case of cloud software vulnerabilities, the user generally has no actions and couldn't take any actions if they wanted to (other than in rare cases where they can mitigate by disabling some functionality, etc.)"

While this is not an issue for most administrators and end users on its surface, the practice has caused some problems for researchers and could have an impact on user data for a number of reasons.

Recently, several infosec experts have said the lack of cloud CVEs is a detriment to enterprise security teams, users and the security research community. Concerns about the discrepancy emerged this summer following the disclosure of the "ChaosDB" bug in Azure's Cosmos DB, which was discovery by cloud security vendor Wiz.

While Microsoft publicly disclosed the ChaosDB bug along with Wiz, other cloud providers with similar critical flaws might not. Experts such as independent security research Kevin Beaumont noted on Twitter that the "massive gap in cloud security" leaves external researchers as the only reliable source of information about cloud vulnerabilities.

For many security researchers, getting credited in a CVE vulnerability report is a major positive for their careers. Having a list of CVE credits acts as a sort of resume for bug hunters, allowing them to get public recognition and as a result boost their reputation within the community and improve their chances of finding more lucrative work.

That is not to say that every person who hunts for bugs is simply seeking to gain fame and fortune, experts note.

"While some are incentivized by the award of CVEs, security researchers have differing motivations for reporting vulnerabilities," Childs said.

"Public recognition and financial compensation also provide significant incentives for those disclosing bugs to vendors."

What should be more concerning to enterprises, however, is the possibility that the lack of designation can allow companies to sit on bugs. With the cloud providers being able to sit on bugs that are not being reported by a third party, patches can potentially be put off, placing researchers in a tough position.

"Sometimes a vulnerability requires a user's action, and there is no way to discuss it," said Nir Ohfeld, a senior security researcher with Wiz.

"If there is not a name to a vulnerability, you have no way to communicate it verbally, and you don't ever know if you are exposed."

The lack of public disclosure with vulnerabilities is not unique to cloud services. For years now, on-premises software vendors have also been frustrating researchers by using various methods to delay patches or get out of public acknowledgement.

The issue has gotten so bad that some bug hunters have considered simply selling their vulnerability finds to third parties who could end up using them for zero-day attacks.

"No vendor has an obligation to disclose bug details regardless of the product or service being on prem or in the cloud," says Childs.

"However, our experience is that transparency wherever possible is best for all involved. Vendors who do not publicly disclose flaws or publicly acknowledge researchers will likely find themselves worse off than those who do."

While there remain a number of issues with the way cloud flaws are reported and disclosed, there are already efforts being made to remedy the issue, both in the form of updates to the CVE system and work on a new cloud-friendly vulnerability disclosure method called a Universal Vulnerability Identifier.

The UVI system looks to be a faster, more accessible system that would also cover the unique circumstances that open source and cloud computing services present when it comes to security flaws. During a Black Hat 2021 session, Wiz researchers also called for a new cloud CVE system.

The hope is that by reworking disclosures to better take into account the cloud compute model, vendors and researchers can both be appeased, resulting in more transparency and clarity for their admins and security professionals.

"We believe that in order to tackle this problem we need to have standards and systems that enable rapid issuance of trusted vulnerability identifiers on demand that can be expanded upon 'wiki-style' over time," Reavis explained.

"These discovered vulnerabilities will be enhanced with richer information as we learn more, cross-referenced with other vulnerabilities, even linked to actual CVEs or proprietary vulnerability databases."

SearchSecurity writer Alexander Culafi contributed to this story.

Excerpt from:
Why cloud bugs don't get CVEs, and why it's an issue - TechTarget

Battery Ventures released its State of the OpenCloud report today, providing a set of data points that clearly outline the accelerated growth of cloud services in recent quarters.

The report helps explain the race to invest capital into startups that weve been observing over the past 18 months.

The pandemic pushed companies to start using cloud services infrastructure, platform or SaaS earlier and quicker than they might have otherwise. That resulted in big investments, eye-popping IPOs and tremendous revenue growth for software companies of all stripes, especially those built atop open source code.

Consider this tidbit from the report: The average infrastructure-software IPO valuation has increased 10 times over the last 10 years, and there are more infrastructure-software companies valued at $10 billion or more than ever before. Whats more, the data implies a healthy pipeline of major cloud IPOs.

Battery believes that the cloud market could eventually be worth $1 trillion. When you consider that the vast majority of work, development and computing will be done in the cloud at some point, the investment groups round-number projection may prove modest.

Thats our takeaway. While the digital transformation is evident and startling, this report makes it clear that despite the nigh-incredible growth numbers we have seen recently, we are still just scratching the surface of the clouds potential.

Amazons AWS public cloud platform is big business. Amazon breaks out its results on a quarterly basis, showing the world exactly how much cloud revenue it generates, as well as the resulting operating profit. Microsoft also breaks out growth for its Azure service, but with other services included in the reporting category, the exact number is harder to nail down.

Batterys report gives us per-platform data. In Q2 2021, the venture capital firm reckons that AWS reached a $59 billion run rate, while Azure hit $37 billion and Google Cloud reached $19 billion and this was before the companies reported Q3 results.

Image Credits: Battery Ventures

Critically, Batterys Q2 figures were up an aggregate 44% compared to a year earlier the growth has accelerated from an early-pandemic low of 36% in Q2 of last year. Indeed, since the second quarter of 2020, public cloud growth has either held steady or risen.

Given the sheer amount of dollars involved in these figures, the acceleration of growth from 36% to 44% is incredibly material: The three cloud platforms closed Q2 2021 on a combined run rate of $115 billion.

View original post here:
We're still just scratching the surface of the cloud's potential - TechCrunch

Computers are part of our schools, workplaces, and everyday lives. Whether you're a beginning or advanced learner, taking computer classes online can enhance your foundational, coding, and development skills.

This list provides a host of free and paid platforms offering beginner and intermediate classes in computing basics plus topics like Python, data analytics, and cloud computing.

Basic computer skills are foundational tools for navigating computers and software. These skills are essential for a technology-driven world. They include:

After mastering basic computer skills, consider learning advanced skills such as website design or application development.

Are you ready to improve your basic computer skills? This list of electronic learning platforms offers inexpensive and free online computer classes, training and learning activities, and self-paced tutorials.

Cost: Online courses and assessments are free, though certificates and diplomas are paid. The premium monthly package, which removes ads and gives discounts on certificates and diplomas, is $9.26.

Best for: Full-time students, busy parents, working professionals

Alison is an online learning platform offering courses in information technology and other workplace-specific categories. Learners may earn diplomas and certificates in a variety of industries.

Check out:

Cost: Free

Best for: Kindergarten through 12th-grade learners, homeschool children, college and university students, working professionals, career changers

Goodwill Community Foundation Global offers an online learning platform and self-paced distance learning tools for all ages, including free online computer classes for seniors. Learners can enroll in Mac OS, Linux, and creativity and design courses. Other tutorials build proficiency with social media, email, and Google.

Check out:

Cost: $6-18 per month per user

Best for: Colleges and universities, businesses, industry professionals

Google Workspace Learning Center offers training resources and tutorials for accessing the video conferencing platform, customizing business Gmail, and navigating word processing and cloud storage. Other courses cover specific products, roles, and industries.

Check out:

Cost: $29.99 per month, or $400 per year

Best for: College and university students, business and government employees, graduates seeking career opportunities

LinkedIn Learning provides an online learning platform with over 5,000 courses in business, technology, and creative skills. Learners can select technology and certification preparation courses in cloud computing, security, and CompTIA, among others.

Check out:

Cost: $11.99 to $199.99 per course

Best for: Young adult learners, college and university students, career changers, businesses, non-profit organizations, government employees

Udemy offers a variety of business and technical courses for young adults, college and university students, working professionals, and career changers. Learners may select courses in cloud computing, data science, and design along with development, IT operations, and project management and operations.

Read our Udemy review for more information.

Check out:

Are you proficient in basic computer skills? Consider enrolling in intermediate and advanced online computer classes. These online learning platforms can help industry professionals with career advancement and workforce development.

Cost: Verified-track course fees range from $50 to $300. MicroMasters programs may have higher costs.

Best for: All ages and learners

edX is an online learning platform with 2,400 global learning sites. Learners may enroll inmassive open online courses for college credit, MicroBachelors programs for undergraduate credentials, and MicroMasters programs for graduate-level courses.

Check out:

Cost: Guided projects begin at $9.99. Specializations and professional certificates range between $39 and $79 per month. MasterTrack certifications cost approximately $2,000. With Coursera Plus, learners can pay $59 per month or $399 annually.

Best for: College and university students and adults between 18 and 55

Coursera offers certificate and degree program options. Learners may access on-demand lectures and applied learning experiences in data science, information technology, and online computer science.

Learn more with our Coursera review.

Check out:

Cost: Free

Best for: Pre-kindergarten through college students

Khan Academy is a personalized and self-paced learning platform offering online computer classes for kids, adolescents, and young adults. Learners can access instructional videos and practice exercises in math, science, computing, and additional content areas such as arts and humanities. The platform provides test preparation for the LSAT, Praxis, and SAT.

Check out:

Cost: $399 per month per course; nanodegree programs are $1,000 to $1,500

Best for: Full-time working adults, degree-holders, government employees, technical workforce professionals

Udacity offers an online learning platform with courses in data science, programming and development, artificial intelligence, and related technical specialty areas. Courses are self-paced, interactive, and delivered in multiple formats.

Check out:

Basic computer skills are a necessity for today's workforce. Intermediate and advanced computer skills can boost career opportunities for industry professionals.

College and university students may select online college courses to develop a niche area.

Computer experts may explore the best online learning platforms and earn certificates and certifications.

With affordable or free online courses, busy parents and professionals can select courses that fit their schedules.

Learners can sign up for online introductory courses with online platforms like edX, Coursera, Khan Academy, Udacity, and Udemy.

Fundamental computing skills include messaging and video conferencing, troubleshooting, word processing, data entry, and web searching.

In 2019, Monali Mirel Chuatico graduated with her bachelor's in computer science, which gave her the foundation that she needed to excel in roles such as a data engineer, front-end developer, UX designer, and computer science instructor.

Monali is currently a data engineer at Mission Lane. As a data analytics captain at the nonprofit COOP Careers, Monali helps new grads and young professionals overcome underemployment by teaching them data analytics tools and mentoring them on their professional development journey.

Monali Mirel Chuatico is a paid member of the Red Ventures Education freelance review network.

View post:
Beginner computer classes online: What can you take, and where? - ZDNet

A surge in Microsoft's shares nearly unseated Apple Inc as the world's most valuable company on Wednesday, a day before the iPhone maker reports its quarterly results.

Fuelled by strong quarterly growth in its Azure cloud-computing business, Microsoft's shares jumped 4.2 percent to end at a record $323.17 (roughly Rs. 24,225), elevating the software maker's market capitalisation to $2.426 trillion (roughly Rs. 1,81,86,020 crore), just short of Apple's $2.461 trillion (roughly Rs.1,84,45,070 crore)valuation, according to Refinitiv data.

Apple's shares dipped 0.3 percent ahead of its report due after the bell on Thursday, with investors focused on how the global supply-chain crisis is challenging the company's ability to meet demand for its iPhone models.

Microsoft's stock has rallied 45 percent this year, with pandemic-induced demand for its cloud-based services driving sales. Shares of Apple have climbed 12 percent in 2021.

Apple's stock market value overtook Microsoft's in 2010 as the iPhone made it the world's premier consumer technology company. The two companies have taken turns as Wall Street's most valuable company in recent years, with Apple holding the title since mid-2020.

In its report late on Tuesday, Microsoft forecast a strong end to the calendar year thanks to its booming cloud business, but it warned that supply-chain woes will continue to dog key units, such as those producing its Surface laptops and Xbox gaming consoles.

Analysts on average expect Apple to report September-quarter revenue up 31 percent to $84.8 billion (roughly Rs. 6,35,560 crore)and adjusted earnings per share of $1.24 (roughly Rs. 90), according to Refinitiv.

Link:
Microsoft Rides Cloud Computing Boost to Nearly Overtake Apple as Most Valuable Company | Technology News - Gadgets 360

Signage at the Alibaba Group Holdings Ltd. headquarters in Hangzhou, China, on Wednesday, March 24, 2021.

Qilai Shen | Bloomberg | Getty Images

GUANGZHOU, China Chinese e-commerce giant Alibaba launched a new server chip on Tuesday, as it looks to boost its cloud computing business and compete against U.S. rivals like Amazon.

The processor, called Yitian 710, will go into new servers called Panjiu.

The chip and servers will not be directly sold to customers. Instead, Alibaba's cloud computing clients will buy services based on these latest technology. These servers are designed for artificial intelligence applications and storage.

The company did not say when the services based on the latest chip and server will be available for customers.

Alibaba will not be manufacturing the semiconductor but will be designing it instead.

That's a trend among Chinese companies. Huawei designed its own smartphone chips and Baidu raised money this year for a standalone semiconductor business. U.S cloud computing rivals including Google and Amazon have also done the same.

Read more from the original source:
Alibaba launches new server chip to boost its cloud business in challenge to Amazon and Microsoft - CNBC