It’s once again time for the outrage generators on social media to ask if SBOMs have any value. This seems to happen a few times a year. Probably lines up with the pent up excitement while we wait for the McRib to return. I could dig up a few examples of these articles but I can’t be bothered, and it doesn’t matter. I’d rather spend my time searching for a McRib … I mean, writing this blog post. ...
If you follow the vulnerability world, 2024 is starting to feel like we’ve become trapped in the mirror universe. NVD collapsed, the Linux kernel is generating a huge number of CVE IDs, CISA is maybe enriching the CVE data, and the growth rate of CVE is higher than its ever been. It feels like we’re careening off a cliff in the clown car where half the people are trapped inside trying to get out, and the other half are laughing at the clown honking its nose. ...
There’s been something in the back of my brain that’s been bothering me about talks at the big conferences lately but I just couldn’t figure out how to talk about it. Until I listed to this episode of The Hacker Mind Podcast on Self Healing Operating Systems (it’s a great podcast, like and subscribe). The episode was all about this incredibly bizarre way to store operating system state in a SQL database (yeah, you read that right). The guest made no excuses that this is a pretty wild idea and it’s not going to happen anytime soon. But we need weird research like this, it’s part of the forward march of progress. ...
It seems like every few years the topic of counting vulnerabilities in products shows up. Last time the focus seemed to be around vulnerabilities in Linux distributions, which made distroless and very small container images popular. Today it seems to be around the vulnerabilities in open source dependencies. The general idea is you want to have as few vulnerabilities in the open source you’re using, so logically zero is the goal. ...
Open source has always been held to a higher standard. It has always surpassed this standard. I ran across a story recently about a proposed bill in the US Congress that is meant to “help” open source software. The bill lays out steps CISA should take to help secure open source software. This post isn’t meant to argue if open source needs to be fixed (it doesn’t), but rather let’s consider the standards and expectations open source is held to. ...
I take a bike ride every morning, it’s a nice way to think about topics of the day. I’ve been wondering lately why software supply chain security has exploded in popularity in the last year or so. Nothing happens by accident, so there must be some series of events we can point at that has led to everyone suddenly making this a priority. Software supply chain security is not new, I’ve been doing it since about 2002 when I was helping track and coordinate security vulnerabilities in Linux distributions. We didn’t call it a supply chain back then, and nobody really paid attention to it. So what changed between then and now? ...
Earlier today I asked a question on Twitter Holy cow that thread took on a life of its own. The question is easy enough, do we have any security data on pinning vs not pinning dependencies? We don’t, I know this, but I was hoping someone was working on something (I don’t think they are). But during the thread I also think I figured how to be start collecting this data. That’s a post for the future. ...
If you pay attention to tech news, you know what’s going on with log4j right now. It’s being called Log4Shell which is a great name. I’ll spare you repeating the details of the issue, there are many many stories about it at this point. What I’ve not seen is a good explanation about why knowing if you are using log4j is hard, and fixing it will be even harder than finding it. ...
TL;DR - The future of community identifier is going to be the Cloud Security Alliance. See this blog post for more details. A few months ago the Distributed Weakness Filing project (DWF), announced it was coming back to work with some new ideas around how we work with vulnerability identifiers. The initial blog post defines some of the reasons, we won’t rehash them here. It should surprise nobody that the DWF project did not grow to an enormous size in a few short months. Vulnerability identification is a complex and hard problem. We were looking to try out some new ideas and see which were effective and which were not effective. It was to start to build the structure to deal with a future community. Most importantly it was to help figure out what we don’t know we don’t know. ...
The late, great, John Lewis is well known for a quote about getting into trouble. Never, ever be afraid to make some noise and get in good trouble, necessary trouble. It’s time to start some good trouble. Anyone who knows me, reads this blog, or follows me on Twitter, is well aware I have been a proponent of CVE Identifiers for a very long time. I once assigned CVE IDs to most open source security vulnerabilities. I’ve helped more than one company and project adopt CVE IDs for their advisories. I encourage anyone who will listen to adopt CVE IDs. I’ve even talked about it on the podcast many times. ...