It seems like every few years the topic of counting vulnerabilities in products shows up. Last time the focus seemed to be around vulnerabilities in Linux distributions, which made distroless and very small container images popular. Today it seems to be around the vulnerabilities in open source dependencies. The general idea is you want toContinue reading “The perverse incentive of vulnerability counting”
Category Archives: SecurityBlog
Holding open source to a higher standard
Open source has always been held to a higher standard. It has always surpassed this standard. I ran across a story recently about a proposed bill in the US Congress that is meant to “help” open source software. The bill lays out steps CISA should take to help secure open source software. This post isn’tContinue reading “Holding open source to a higher standard”
Why has software supply chain security exploded?
I take a bike ride every morning, it’s a nice way to think about topics of the day. I’ve been wondering lately why software supply chain security has exploded in popularity in the last year or so. Nothing happens by accident, so there must be some series of events we can point at that hasContinue reading “Why has software supply chain security exploded?”
Facts vs Feelings
Earlier today I asked a question on Twitter Holy cow that thread took on a life of its own. The question is easy enough, do we have any security data on pinning vs not pinning dependencies? We don’t, I know this, but I was hoping someone was working on something (I don’t think they are).Continue reading “Facts vs Feelings”
log4j is hard to find and harder to fix
If you pay attention to tech news, you know what’s going on with log4j right now. It’s being called Log4Shell which is a great name. I’ll spare you repeating the details of the issue, there are many many stories about it at this point. What I’ve not seen is a good explanation about why knowingContinue reading “log4j is hard to find and harder to fix”
The future of DWF
TL;DR – The future of community identifier is going to be the Cloud Security Alliance. See this blog post for more details. A few months ago the Distributed Weakness Filing project (DWF), announced it was coming back to work with some new ideas around how we work with vulnerability identifiers. The initial blog post definesContinue reading “The future of DWF”
It’s time to fix CVE
The late, great, John Lewis is well known for a quote about getting into trouble. Never, ever be afraid to make some noise and get in good trouble, necessary trouble. It’s time to start some good trouble. Anyone who knows me, reads this blog, or follows me on Twitter, is well aware I have beenContinue reading “It’s time to fix CVE”
The Titanic of security
I listen to a lot of podcasts. A lot of podcasts. I was listening to the Dave and Gunnar Show podcast episode 212 with guest David A. Wheeler. The Titanic was used as an example of changing process after a security incident. This opened up a flood of thoughts to me, but not for theContinue reading “The Titanic of security”
It’s the community, stupid
I’ve been thinking about what open source is a lot lately. I mean A LOT, probably more than is healthy. There have been a ton of open source happenings in the world and the discussions around open source licenses have been numerous. There are even a lot of discussions around the very idea of openContinue reading “It’s the community, stupid”
You cannot manage your supply chain
What a year it’s been! I feel like 2021 went by like a … it’s still January??? So it’s pretty much impossible to ignore any of the events of the last month. I want to talk about something that’s near and dear to my heart, and in the news, not for a good reason. SoftwareContinue reading “You cannot manage your supply chain”