I think this was posted because the of the recent Npm malware fiasco. The malware monkey-patched native JS functions to replace strings that matched crypto addresses in certain the fetch, and XMLHttpRequest functions:
Considering there's no way to check whether a function is monkey-patched, this just tells me the JavaScript ecosystem was not designed with malicious actors in mind
I think the issue with this is that you'll never be able to have the deep integration current FMD implementations have (where you have Bluetooth beacons to track the phone even when it's "off") and also be able to use anything that requires a signed bootloader and OS (such as banking apps)
I think this article sidesteps what this bill also means: a return to cold-war-era thinking of "passive" advancement of military capabilities for the "just in case" scenario
I work in the security industry and use WIZ and while I do despise all of the buzzword acronyms this industry has come up with, CSPMs have been one of the few tools that have actually made my life significantly easier. Due to the nature of the industry I work in, there is a lot of regulation that we need to comply with, and CSPMs (and wiz in particular) gives us both observability and alerting for all of our resources in our cloud environments, including the configuration of the cloud environments themselves. I don't know how they managed to get a $32B offer so soon after coming out of stealth, but considering the amount of problems it solves for me and my team, I can see why they're doing well financially. We're definitely happy with the pain point the product fixes.
I can now say "I know for a fact we have x number of AWS/GCP/Azure accounts that are either not using our IdP or 2A, here's a list" without having to script across multiple cloud APIs
Similarly, I can say "here's a list of people that accessed x resource in the last y days". It really makes my life easier when I want to access metrics about my company's cloud environments
CSPM is most valuable for large enterprises that have many cloud tenants as they can provide visibility across the entire footprint in one place.
Consider an enterprise that wants to say "list all the cloud storage buckets we own that are not in the US and are publicly readable and have a name containing 'foo'" - and they have several of each of AWS, Azure and GCP organixations because of acquisitions that aren't fully integrated yet.
Wiz answers that in ~5 seconds, with a rich query language and a bunch of prebuilt rules and detections on top of it, including for tracking compliance with various frameworks.
Conceptually, I don't think CSPMs are answering complicated questions, however there's quite a lot of complexity (IMO) in scaling the answers consistently, and keeping up to date with all of the tests that need to be implemented.
If you think about the number of services that AWS/GCP/Azure have, adding good compliance checks across even a portion of those is quite a lot of work :)
A small example from an area I know something about is maintaining the CIS Kubernetes benchmarks (which are used by a lot of CSPM products as a source of rules).
Here you've got the different Kubernetes distributions and then each of the cloud distributions has its own CIS benchmark as the checks are different depending on the cloud in use. Then you have changes over time as different clusters run different versions of Kubernetes, so have different checks. Then you add in that the benchmarks don't release with every new version of Kubernetes, and you can end up with quite a complex matrix of checks.
I'm not too familiar with the situation in Portland, but I have heard that programs which decriminalize drugs and provide care centers are not effective without existing social nets such as solid unemployment programmes and public health programmes that treated addicts can use to get themselves out of the socio-economic hole they got themselves into
Maybe the US is lacking in those programmes and is why the drug legalization programme is not effective in Portland?
As explaine by the article, counterfeiting involves pretending to be a product it's not. For example, if you sell your hypothetical channel bags as genuine channel bags instead of as generic, no-brand bags, then that would be counterfeiting because you're pretending they're something that it's not. Using genuine apple parts in third-party screens is more comparable to putting channel bag straps (which, yes, have the channel logo on them) into fake bags and selling them as generic, non-channel bags.
Similarly, if you don't label the third party screen as "genuine apple", you're not infringing copyright.
https://www.aikido.dev/blog/npm-debug-and-chalk-packages-com...
Considering there's no way to check whether a function is monkey-patched, this just tells me the JavaScript ecosystem was not designed with malicious actors in mind