DEV Community: Alex Vakulov

Rethinking Data Security: From Tool Sprawl to Data-Centric Protection

Alex Vakulov — Wed, 18 Mar 2026 08:02:20 +0000

Modern data infrastructure continues to evolve, but protecting it often remains inefficient due to the reliance on numerous highly specialized security tools. Today’s environments call for solutions that simplify data management while still delivering strong, consistent protection.

Confidential data is a critical asset for organizations, supporting competitiveness and enabling informed business decisions. When this information is exposed without authorization, the consequences extend well beyond direct financial losses and can affect trust, operations, and long-term strategy.

Research from the SANS Institute and CrashPlan shows that reputational damage is the top concern for organizations, as it can lead to customer churn, lost market share, and declining share value. Legal and regulatory consequences rank close behind as the next significant risk.

Recent reports show that the majority of reported data compromises stem from cyberattacks, with 1,348 incidents in the first half of 2025 alone. Government agencies, healthcare organizations, financial institutions, industrial enterprises, and IT companies continue to rank among the most frequently targeted sectors, reflecting attackers’ focus on high-value data and interconnected systems, particularly through supply-chain vulnerabilities.

Cybercriminals often focus on stealing user credentials and trade secrets. At the same time, ongoing political tensions are driving greater interest in disrupting critical infrastructure and leaking stolen data. The steady stream of data leaks shows that existing security approaches often fall short, leaving data protection a critical, unresolved challenge.

The core challenge for defenders is no longer a lack of security tools, but the inability to maintain a coherent, real-time understanding of where sensitive data exists and how it is being used across the environment.

How Data Protection Methods Have Evolved

Over the past few decades, data storage and processing infrastructure has changed dramatically, driven by technological advances, shifting business demands, and evolving security practices.

These changes can be broadly grouped into four stages. Each stage reflects not just technological progress, but also the gradual shift from protecting systems and networks to protecting data itself.

Manual Data Management: 1980s – Late 1990s

During this period, most organizations had a relatively small IT footprint, typically around 100 to 200 workstations and 10 to 20 servers. Business processes were not yet fully digital, and critical information was often stored on paper or in basic electronic formats.

Data protection was not a primary concern at the time. Instead, companies focused on general information security, relying on basic tools such as firewalls, antivirus software, and intrusion detection systems. Security assumptions during this period were shaped by limited scale, in which visibility and control were manageable because data volumes and access paths were small.

Digital Transformation: Early 2000s

At the start of the new millennium, organizations began actively digitizing their operations. IT environments grew more complex, with assets becoming centralized and typically housed in one or two locations. The volume of data that needed protection increased sharply.

As awareness of data breaches grew, companies started classifying their information, and the first purpose-built security tools appeared, most notably data loss prevention (DLP) systems.

At the same time, as data moved into centralized digital systems, security controls began to lag behind growth, creating early blind spots around access, classification, and misuse.

Expanding IT Capabilities: Mid-2000s – Mid-2010s

Over the following decade, organizations continued to digitize at scale, and IT infrastructures became increasingly distributed. The use of databases and file storage grew rapidly, and many companies began experimenting with cloud technologies. As data volume and variety expanded, traditional DLP tools were no longer sufficient.

This led to the emergence of more specialized solutions for specific parts of the infrastructure, including database monitoring and protection tools such as DAM (Database Activity Monitoring) and DBF (Database Firewall).

While these specialized tools improved protection in isolated areas, they also fragmented security visibility and made it harder to understand data risk across the organization as a whole.

The Big Data Era: Mid-2010s – Present

Digital business transformation has reached a point where data volumes are so large and dynamic that they often seem to take on a life of their own. Information has become a core asset for modern organizations, and data-driven approaches shape how business processes are designed and optimized. Companies rely heavily on big data collection and analytics technologies, which demand stronger, more comprehensive protection.

Yet many organizations still depend on legacy tools such as DLP, DBF, and DCAP, each focused on a narrow task rather than delivering end-to-end data security. At this scale, protecting individual systems is no longer sufficient because risk arises from how data moves, changes, and is accessed across platforms rather than from where it is stored.

How Tool Sprawl Creates Data Security Blind Spots

Again, protecting a modern, heterogeneous environment with many internal dependencies often means deploying a wide range of traditional security tools. Today, organizations with more than 1,000 employees use an average of six different data protection solutions. Each additional tool introduces its own policies, alerts, and data models, increasing operational complexity while reducing the ability to see the whole security picture.

This approach requires substantial financial investment as well as significant effort from security teams, who must maintain each tool and integrate it with other systems and internal processes, such as linking security alerts directly into a DevOps ticketing workflow to manage remediation. As a result, achieving full infrastructure coverage and maintaining up-to-date visibility becomes difficult. With regulatory penalties for data breaches continuing to rise, this gap exposes organizations to serious financial risk.

In practice, this fragmentation delays incident detection and response, as security teams must manually correlate signals across disconnected systems under time pressure.

This has created a clear need for a more comprehensive security approach, one that gives information security teams real-time visibility into critical questions such as:

How much data exists across the environment
Where that data is stored and how different datasets are connected
Which locations contain sensitive information
Who has access to that data, and how access can be limited
How sensitive data is actually being accessed and used

Analyst firms such as KuppingerCole and Forrester highlighted the importance of consolidating multiple security functions into a single platform, a category Gartner described as a new class of solutions known as Data Security Platforms (DSPs).

The Value of a Data-Centric Security Model

To protect information effectively, the security industry has moved toward a data-centric approach that safeguards data throughout its entire lifecycle, from creation and storage to transmission and eventual deletion, regardless of where the data lives or how it is used. This shift places data, not infrastructure boundaries, at the center of security decision-making.

Consider a scenario where an organization detects malware activity in a cloud environment. Traditional security tools may identify the initial compromised account or alert source, but they often cannot quickly answer the most critical questions: what data was accessed, where that data resides, and how sensitive it is.

With a data security platform in place, security teams can immediately identify which datasets were involved, determine whether regulated or confidential information was exposed, trace access paths across systems, and assess potential business and compliance impact in real time. This visibility allows teams to prioritize incident response actions and communicate accurate risk assessments to leadership and regulators.

DSPs provide a unified view of an organization’s security posture, enabling easier infrastructure monitoring, faster vulnerability identification, and more efficient incident response. Instead of replacing existing controls, DSPs act as an orchestration and intelligence layer that connects them into a single, data-focused security model.

These platforms also integrate with other security systems, enabling a more flexible and adaptive security architecture. This approach strengthens data protection while freeing up security teams to focus on higher-value tasks rather than tool maintenance and manual coordination.

As data becomes the primary driver of modern business value, security strategies must evolve from protecting individual systems to governing data across its entire lifecycle. Organizations that make this shift early will be better positioned to manage risk, maintain compliance, and operate securely at scale.

7 ITSM Tools Developers Should Evaluate in 2026

Alex Vakulov — Wed, 04 Mar 2026 08:53:33 +0000

7 ITSM Tools Developers Should Evaluate in 2026

IT Service Management (ITSM) for DevOps is a framework that connects change management, infrastructure visibility, incident tracking, and compliance workflows so teams can ship quickly while maintaining operational accountability.

In modern software teams, the question is no longer:

"How do we manage tickets?"

It is:

"How do we connect what we build, what we run, and what we are accountable for?"

As release velocity increased, many teams discovered that CI/CD solved delivery speed but not operational clarity. Systems changed faster than organizations could explain them. That gap is exactly where modern ITSM platforms now operate.

ITSM in a DevOps World Is About Traceability, Not Tickets

In modern CI/CD environments, change is constant. Infrastructure scales dynamically, ownership shifts across teams, and security signals arrive from dozens of tools. Without a way to connect those signals, organizations lose the ability to explain their own systems.

This is where ITSM has quietly changed roles. Instead of enforcing the process before the change happens, it records relationships after the change occurs. Deployment events can be associated with configuration items. Incidents can be traced back to releases. Asset inventories can reflect what actually exists rather than what was once documented.

Security tooling identifies risk. ITSM ensures that risk is owned, tracked, and resolved. Without service management:

Vulnerabilities lack lifecycle tracking
Infrastructure ownership becomes tribal knowledge
Compliance evidence requires manual reconstruction
Incident response lacks operational context

ITSM provides the persistent memory layer that security automation alone cannot supply.

What Matters When Evaluating an ITSM Platform

The most useful ITSM systems align three domains that were historically separate: service workflows, asset awareness, and automation. When those elements are connected, teams gain visibility into what they run and how it evolves.

Equally important is how naturally the platform integrates into engineering environments. Tools that rely entirely on manual updates struggle to keep pace with automated delivery. Systems designed with APIs and event-driven updates tend to adapt better to DevOps cultures.

Governance also plays a role, but it must emerge from workflows rather than impose itself as rigid gates.

What Are the Best ITSM Tools for DevOps in 2026?

Platform	Strength	Typical Use Case	Implementation Weight
InvGate	Integrated service + asset visibility	Scaling operational maturity	Low
Jira Service Management	Developer ecosystem alignment	Engineering-centric orgs	Medium
ServiceNow	Enterprise workflow orchestration	Large regulated environments	High
Freshservice	Structured ITSM with fast adoption	Growing companies	Low
ManageEngine ServiceDesk Plus	Broad capability with flexible deployment	Mixed infrastructure orgs	Medium
SolarWinds Service Desk	Operational analytics focus	Hybrid infrastructure teams	Medium
Zendesk	Lightweight internal service workflows	Support-driven environments	Low

1. InvGate

InvGate combines IT Service Management and IT Asset Management into a unified platform that connects operational workflows directly to infrastructure context.

Rather than treating assets as a separate CMDB or static inventory, InvGate links incidents, changes, and requests to the systems and ownership data involved, helping teams maintain traceability as environments evolve.

Where It Fits

Organizations strengthening DevOps governance and change visibility
Teams that need lifecycle and ownership clarity without complex customization
Environments transitioning from spreadsheets or disconnected tools

Notable Characteristics

Built-in asset discovery and lifecycle tracking
Visual, no-code workflow configuration
Unified view of change, incident, and asset relationships

Considerations

Smaller ecosystem compared to large enterprise vendors
Less focused on highly bespoke, developer-driven workflow modeling

2. Jira Service Management

Jira Service Management extends the Atlassian platform into ITSM, allowing operational workflows to live alongside development tracking.

It is frequently selected when engineering teams already rely on Jira Software.

Where It Fits

Dev-led organizations
CI/CD-centric delivery models
Teams wanting shared tooling between Dev and Ops

Notable Characteristics

Native linkage between issues, deployments, and change tracking
Strong API and automation rule framework
Asset and configuration features available through Atlassian Assets

Considerations

Asset management depth depends on configuration
Can become complex in large environments

3. ServiceNow

ServiceNow is an enterprise workflow platform with extensive ITSM capabilities, designed for organizations that require deep process modeling and governance.

It is often chosen when operational workflows span multiple departments and regulatory frameworks.

Where It Fits

Large enterprises
Regulated sectors
Complex approval or segregation-of-duties environments

Notable Characteristics

Highly configurable workflow engine
Mature CMDB model
Extensive integration ecosystem

Considerations

Significant implementation effort
Requires dedicated administration resources

4. Freshservice

Freshservice delivers cloud-based ITSM with structured workflows aimed at organizations moving from informal support models to defined service operations.

Where It Fits

Mid-sized companies scaling internal IT practices
Teams seeking structured workflows without heavy rollout

Notable Characteristics

Incident, change, and asset management in a SaaS model
Workflow automation and service catalog features
Quick onboarding relative to enterprise platforms

Considerations

Less customizable for highly complex governance models

5. ManageEngine ServiceDesk Plus

ManageEngine ServiceDesk Plus provides comprehensive ITSM functionality with options for cloud or on-prem deployment.

Where It Fits

Organizations with mixed infrastructure constraints
Teams needing flexibility in hosting models

Notable Characteristics

CMDB and asset tracking capabilities
Broad ITIL process support
Strong reporting and configuration options

Considerations

Interface modernization lags newer SaaS platforms

6. SolarWinds Service Desk

SolarWinds Service Desk focuses on operational visibility and integrates well into infrastructure-centric environments.

Where It Fits

Hybrid IT environments
Infrastructure and operations-driven teams

Notable Characteristics

Asset discovery features
Incident and change tracking aligned with monitoring ecosystems
Reporting and analytics capabilities

Considerations

Less developer-workflow centric than some competitors

7. Zendesk (for Internal IT Use Cases)

Zendesk is primarily a service platform adopted by some organizations for internal IT workflows rather than a full traditional ITSM suite.

Where It Fits

Internal support enablement
Organizations prioritizing usability over governance depth

Notable Characteristics

Rapid deployment and intuitive interface
Strong request management workflows

Considerations

Limited native ITAM/CMDB depth
Not intended for complex DevSecOps orchestration

Choosing Based on Organizational Maturity

The right ITSM tool depends less on feature lists and more on how structured your operations already are.

If Your Organization Needs	Likely Fit
Operational visibility without heavy rollout	InvGate
Engineering-native workflow alignment	Jira Service Management
Enterprise-scale governance	ServiceNow
Structured SaaS ITSM adoption	Freshservice
Flexible infrastructure support	ManageEngine
Infrastructure-centric operations	SolarWinds
Lightweight internal service workflows	Zendesk

Final Thoughts

The evolution of ITSM has little to do with improving help desks. It reflects a broader shift toward understanding software systems as living environments that must be continuously mapped, governed, and explained.

As organizations scale their DevOps practices, they discover that speed alone is not enough. They need mechanisms that preserve context as systems change.

Modern ITSM platforms attempt to provide that context. At their best, they do not interrupt engineering workflows. They make those workflows observable, accountable, and sustainable.

In that sense, ITSM is no longer an external layer applied after software is built. It has become part of how reliable software delivery is maintained over time.

Which Programming Languages Fuel Today’s Malware Attacks

Alex Vakulov — Sun, 11 May 2025 10:06:34 +0000

It is difficult to claim that any system or program is completely secure. All of them may contain potential vulnerabilities - errors made during the development process - that can lead to serious consequences. Attackers often exploit such flaws. Information security companies continuously monitor vulnerabilities and update security databases. Their monitoring typically includes sources such as the U.S. Government’s National Vulnerability Database (NVD), security advisories, GitHub issue trackers, and open-source projects.

To create malicious code, attackers use a variety of programming languages. Some are more popular in cybercriminal circles due to their ease of use, compatibility with specific systems, and the wide availability of libraries that help solve particular problems.

The Most Common Programming Languages Used in Cyberattacks

It is important to understand that a programming language is merely a tool. Far more critical are the skills and experience of the malware developer - their expertise in the operating systems targeted, their knowledge of cryptography, and their understanding of how network protocols function.

For example, if an attacker is proficient at evading detection on an endpoint and effectively implements communication between the malware and command-and-control servers, the choice of programming language becomes secondary. The language used is typically determined by the environment in which the malicious code will run and the specific tasks it needs to perform.

Nevertheless, numerous studies and observations indicate that the majority of sophisticated malicious programs with extensive functionality are primarily developed in C and C++. These languages are favored for creating serious threats because they provide low-level access to system resources, allow direct memory manipulation, and enable the construction of complex structures that hinder analysis and detection.

Another factor contributing to their popularity in the cybercriminal ecosystem is their portability - C and C++ have minimal runtime dependencies, making it easier to compile and adapt malicious code across different platforms. Cybersecurity experts also point out that C, in particular, is prone to undefined behavior, which often results in security flaws and exploitable vulnerabilities in software infrastructure.

Beyond C

The criminal IT underground also effectively leverages other programming and scripting languages. In Windows environments, attackers frequently rely on PowerShell, a command-line shell and scripting language developed by Microsoft, based on the .NET Framework and .NET Core. PowerShell is installed by default on all modern Windows systems and is highly valued by threat actors for its powerful system management capabilities. While PowerShell is widely used by IT professionals to automate tasks, manage system configurations, and enable interoperability between services, cybercriminals exploit these same features to move laterally across networks, gather intelligence, maintain persistence, evade detection, and modify system settings to facilitate subsequent stages of an attack.

In *Unix-like (nix) systems, the go-to scripting language for similar purposes is Bash (Bourne Again Shell) - the default command-line interface in most Linux distributions. Bash scripts allow for extensive control over system processes, configurations, user interactions, and data management. These capabilities make Bash particularly appealing to attackers looking to automate malicious tasks, manipulate system behavior, and establish control over compromised systems in Linux-based environments.

Malware developers have also turned their attention to web technologies, which power the websites and services users access every day. In this domain, JavaScript stands out as one of the most exploited languages by cybercriminals. It is commonly used to craft malicious scripts for cross-site scripting (XSS) attacks, where harmful JavaScript code is injected into web pages viewed by unsuspecting users. Attackers also use JavaScript to build payload loaders and string obfuscators, which conceal malicious content and help execute it on the victim’s machine. These techniques enable the silent delivery and execution of malware through seemingly legitimate web interactions.

Python’s Role in Modern Malware Creation

The range of programming languages that can be used for malicious purposes is broad -malware can be written in virtually any language, depending on the attacker’s objectives and the target environment. While some languages are more common in the development of cyber threats, others see limited use. For example, Python, despite its popularity among legitimate developers and cybersecurity professionals, is less frequently used by malware creators. This is primarily due to its interpreted nature, larger runtime dependencies, and the ease with which Python-based code can be analyzed and detected compared to compiled languages like C or C++.

Although Python is less commonly used for creating sophisticated malware, it is still employed in the development of various types of malicious software, particularly for prototyping, automation, or targeting systems where Python is already installed. The most common types of Python-based malware include:

Stealers – Programs designed to collect sensitive user and system data from a victim’s device and transmit it to an attacker-controlled server. A notable example is the Snake malware, which demonstrated how effective Python can be for data exfiltration.
Downloaders – Lightweight scripts used to retrieve additional malware, libraries, or payloads from remote servers, acting as an initial stage in multi-phase attacks.
Miners – Malicious programs that exploit a victim’s computing resources to mine cryptocurrencies such as Monero, often running quietly in the background to avoid detection.
Encryptors (Ransomware) – Tools that perform unauthorized cryptographic operations on a victim’s files, effectively locking them and demanding payment for decryption. Python-based versions are often seen in proof-of-concept ransomware or low-sophistication campaigns.

Protecting Against Python-Based Malware

There are no unique protection methods tailored specifically to malware written in Python. Instead, the most effective defense lies in adhering to general digital hygiene practices and established information security policies. These best practices form the foundation of device and network protection, regardless of the programming language used to create malicious code. Cybersecurity professionals are well aware of these measures and typically implement them as part of standard security protocols. Let’s revisit the core principles that underpin adequate protection.

Comprehensive antivirus coverage across all endpoints – Ensuring that every device within the network is protected by reputable and regularly updated antivirus software like Fortect Antivirus or endpoint detection and response (EDR) solutions.
Layered security measures and infrastructure hardening – Using information security tools in combination with proper system configuration, regular software updates, centralized event monitoring, and secure architecture design to minimize vulnerabilities.
Ongoing employee training and awareness – Continuously educating staff on cybersecurity threats and safe digital behavior, with a strong focus on identifying phishing attempts, malicious attachments, and suspicious links, especially in corporate email.
Regular backups of critical data – Implementing automated and secure backup procedures to ensure data recovery in the event of ransomware attacks or other forms of data loss.

Conclusion

Software security issues are well-known and have been extensively documented. Developers learning to write applications are typically taught the principles of clean code and secure development practices from the outset. A brief search online reveals countless resources offering detailed and accessible recommendations for building secure software. However, even when best practices are followed during development, mistakes can still occur, resulting in vulnerabilities that attackers may exploit. To mitigate such risks, security technologies are often embedded at the operating system (OS) level, providing additional layers of defense against exploitation through software flaws.

Gaps in SOC Operator and Analyst Skillsets

Alex Vakulov — Mon, 20 May 2024 09:01:25 +0000

Despite the growing importance of SOC (Security Operations Center) operators and analysts, many applicants often lack critical knowledge and skills, which can significantly hinder their ability to perform tasks effectively. Let's explore the common deficiencies in their skill sets.

Candidates for SOC operator positions frequently lack a foundational understanding of IT technologies. They often have minimal hands-on experience with information security systems and are unfamiliar with typical network attacks and attacker tactics. This lack of basic knowledge and practical experience leaves them ill-equipped to handle the complex challenges they will face on the job.

For SOC analysts, even those with experience in corporate SOCs, the gaps can be just as significant. Many analysts lack the ability to write effective correlation rules and have a limited understanding of attack vectors or the MITRE ATT&CK framework. Their experience might be limited to basic, off-the-shelf content, without the depth required to investigate real incidents thoroughly.

To improve these skills, it is essential for SOC employees to focus on practice. Engaging in cyber exercises and competitions can significantly enhance their hard skills. Novice specialists, if they have a solid foundation of knowledge, can be quickly trained in SOC-specific skills and adapted to the company’s technologies, processes, and techniques.

However, the challenges faced by SOC employees go beyond just a lack of experience with security systems. Many have only modest experience in operating information security systems, often limited to one or two SIEMs (Security Information and Event Management systems). Additionally, their knowledge of modern regulatory requirements in information security is often insufficient. Communication skills can also be a significant issue, with many lacking the ability to effectively interact with customers and colleagues.

Practical experience is crucial for SOC employees. Many applicants struggle to understand what real attacks look like in practice, as opposed to theoretical descriptions from books and magazines. They also often lack the practical experience needed to respond to and investigate incidents effectively. Soft skills are equally important; tolerance for uncertainty, effective communication, and the ability to convey one’s position convincingly are often missing.

Real-world experience is invaluable and often more important than theoretical knowledge. In commercial SOCs, where analysts and experts work with multiple customers and encounter incidents more frequently, knowledge and experience grow much faster compared to in-house SOCs. Sharing experiences within a team is crucial, yet applicants often lack the desire to gain this kind of real-world experience.

The most common knowledge gaps include fundamental IT knowledge, such as understanding network operating systems (Windows, Linux, Mac), network technologies (at least CCNA level), and classic attacker techniques like fixation, lateral movement, and network protocol attacks. Additionally, basic knowledge of DFIR (Digital Forensics and Incident Response) is often lacking, including what forensic artifacts to collect in different scenarios and how to respond to typical attacks.

Addressing these gaps through focused training, practical experience, and the development of both hard and soft skills will better prepare applicants for successful roles as SOC operators and analysts.