I listen to a lot of podcasts. A lot of podcasts. I was listening to the Dave and Gunnar Show podcast episode 212 with guest David A. Wheeler. The Titanic was used as an example of changing process after a security incident. This opened up a flood of thoughts to me, but not for theContinue reading “The Titanic of security”
Category Archives: SecurityBlog
It’s the community, stupid
I’ve been thinking about what open source is a lot lately. I mean A LOT, probably more than is healthy. There have been a ton of open source happenings in the world and the discussions around open source licenses have been numerous. There are even a lot of discussions around the very idea of openContinue reading “It’s the community, stupid”
You cannot manage your supply chain
What a year it’s been! I feel like 2021 went by like a … it’s still January??? So it’s pretty much impossible to ignore any of the events of the last month. I want to talk about something that’s near and dear to my heart, and in the news, not for a good reason. SoftwareContinue reading “You cannot manage your supply chain”
Committee or Community: Slowing down the future
I wrote a blog post about looking back, and I have a bit of snark in there where I talk about slowing down the future. I wanted to explain this a bit more and give everyone some food for thought around how we used to do things and how we should do them moving forward.Continue reading “Committee or Community: Slowing down the future”
We can’t move forward by looking back
For the last few weeks Kurt and I have been having a lively conversation about security ratings scales. Is CVSS good enough? What about the Microsoft scale? Are there other scales we should be looking at? What’s good, what’s missing, what should we be talking about. There’s been a lot of back and forth andContinue reading “We can’t move forward by looking back”
A bug by any other name
This tweet from Jim Manico really has me thinking about why we like to consider security bugs special. There are a lot of tools on the market today to scan your github repos, containers, operating systems, web pages … pick something, for security vulnerabilities. I’ve written a very very long series about these scanners andContinue reading “A bug by any other name”
We take security seriously, VERY SRSLY!
Every company tells you they take security seriously. Some even take it very seriously. But do they? I started to think about this because of a recent Slack bug. I think there are a lot of interesting things we can look at to decide if a company is taking security seriously or if the companyContinue reading “We take security seriously, VERY SRSLY!”
2020 CWE Top 25 I mean 10 or maybe 4.5
A few days ago I ran across this report from MITRE. It’s titled “2020 CWE Top 25 Most Dangerous Software Weaknesses”. I found the report lacking the sort of details I was hoping for, so I’m going rogue and adding those details myself because it’s a topic I care about and I like seeing conclusions.Continue reading “2020 CWE Top 25 I mean 10 or maybe 4.5”
The ineffective CISO
I’ve been thinking about this one for a while. I’ve seen some CISOs who are amazing at what they do, and I’ve seen plenty that can’t get anything done. After working with one that I think is particularly good lately, I’ve made some observations that has changed my mind about the modern day CISO reportingContinue reading “The ineffective CISO”
Broken vulnerability severities
This blog post originally started out as a way to point out why the NVD CVSS scores are usually wrong. One of the amazing things about having easy access to data is you can ask a lot of questions, questions you didn’t even know you had, and find answers right away. If you haven’t readContinue reading “Broken vulnerability severities”
