Impressed by the new ZeroDayClock effort/collective/call highlighting that the window between vuln and exploit now must be assumed as t=0.

allanfriedman@infosec.exchange

Impressed by the new ZeroDayClock effort/collective/call highlighting that the window between vuln and exploit now must be assumed as t=0.

The call to action is solid, though sadly nothing terribly new. Secure by design, adapt policies and practices. Liability, eridacate classes of vulns.

Zero Day Clock

Track Time-to-Exploit (TTE) across 83,000+ CVEs from 10 sources including CISA KEV, ExploitDB, and Metasploit. Median TTE trends, year-over-year analysis, and live exploit intelligence.

Zero Day Clock (zerodayclock.com)

allanfriedman@infosec.exchange

Very much reminds me of @joshcorman ’s idea of "HD Moore's Law" @hdm . Cybersecurity has come far in 15 (!) years--think of how normalized CVD is--but not nearly far enough. And the above piece neatly frames that this isn't an infosec problem, it's a cross-sector ecosystem problem.

Intro to HDMoore’s Law

Most people understand "Moore's Law": Compute power grows at the rate of doubling about every 2 years At Metricon6, I asserted "HDMoore's Law" version 1: Casual Attacker power grows at the rate of Metasploit* *HD Moore (@hdmoore) gave the industry the Metasploit Project in 2003 - a wildly successful and leveraged open-source penetration testing platform. Perhaps…

Cognitive Dissidents (blog.cognitivedissidents.com)

joshbressers@infosec.exchange

@allanfriedman it’s wild the exploit rate hovers around 1% all this time

douglevin@infosec.exchange

@joshbressers @allanfriedman though the number of CVEs grew considerably over that same time

joshbressers@infosec.exchange

@douglevin @allanfriedman a lot of the CVE growth has been from a small number of CNAs. I would have expected the number explored to drop