The EU recently announced they are going to sponsor a security bug bounty program for 14 open source projects in 2019. There has been quite a bit of buzz about this program in all the usual places. The opinions are all over the place. Some people wonder why those 14, some wonder why not more.Continue reading “Misguided misguidings over the EU bug bounty”
This is just how open source works, and that’s OK
If you visit github.com to download code to include in your project, or you visit stack overflow for help, or if you find snippits using a search engine, you have open source dependencies
There seems to be a lot of questions going around lately about how to best give out simple security advice that is actionable. Goodness knows I’ve talked about this more than I can even remember at this point. The security industry is really bad at giving out actionable advice. It’s common someone will ask what’sContinue reading “Targeted vs General purpose security”
There are not millions of unfixed security flaws missing from the CVE data.
We love to do security reviews on the projects, products, and services our companies use. Security reviews are one of those ways we can show how important security is. If those reviews didn’t get done we might end up using a service that could put our users and data at risk. Every good horror storyContinue reading “Security reviews and microservices”
The best part about getting to give a security talk at OSCON is I’m not talking to a security audience, I get to talk to developers about security. Developers, the ones who do the actual work, sometimes in spite of their security teams causing friction and slowing things down.
A lot of what we call security is voodoo. Most of it actually. What I mean with that statement is our security process is often based on ideas that don’t really work. As an industry we have built up a lot of ideas and processes that aren’t actually grounded in facts and science. We don’tContinue reading “The father of modern security: B. F. Skinner”
As of late I’ve been seeing a lot of grumbling that security return on investment (ROI) is impossible. This is of course nonsense. Understanding your ROI is one of the most important things you can do as a business leader. You have to understand if what you’re doing makes sense. By the very nature ofContinue reading “Security ROI isn’t impossible, we suck at measuring”
After my last post about security spending, I was thinking about how most security teams integrate into the overall business (hint: they don’t). As part of this thought experiment I decided to compare traditional security to something that in modern times has come to be called helicopter parenting. A helicopter parent is someone who won’tContinue reading “Helicopter security”