Last day of RSAC conference. Once more into the breach [response and recovery AI tooling sales talks]!
A
allanfriedman@infosec.exchange
@allanfriedman@infosec.exchange
Posts
-
Last day of RSAC conference. -
Anyone know of research on how people “discover” new open source that they want to use?Anyone know of research on how people “discover” new open source that they want to use? Does one search GitHub for strings relevant to what they are looking for? See code used in other projects? Are there other registries?
-
Tired: the meeting could have been an email.Tired: the meeting could have been an email.
Wired: This email could have been both written and read by an LLM.
-
Some rare good news is cybersecurity.Some rare good news is cybersecurity. The foundation of the vulnerability management ecosystem is secured, thanks to some great work by our embattled friends at CISA.
Great reporting by @metacurity @msbrumfield
CVE program funding secured, easing fears of repeat crisis
The funding crisis that nearly shut down the global vulnerability tracking system last year has quietly been resolved, easing fears of another abrupt disruption to a cornerstone of the cybersecurity ecosystem.
CSO Online (www.csoonline.com)
-
Impressed by the new ZeroDayClock effort/collective/call highlighting that the window between vuln and exploit now must be assumed as t=0.Very much reminds me of @joshcorman ’s idea of "HD Moore's Law" @hdm . Cybersecurity has come far in 15 (!) years--think of how normalized CVD is--but not nearly far enough. And the above piece neatly frames that this isn't an infosec problem, it's a cross-sector ecosystem problem.
Intro to HDMoore’s Law
Most people understand "Moore's Law": Compute power grows at the rate of doubling about every 2 years At Metricon6, I asserted "HDMoore's Law" version 1: Casual Attacker power grows at the rate of Metasploit* *HD Moore (@hdmoore) gave the industry the Metasploit Project in 2003 - a wildly successful and leveraged open-source penetration testing platform. Perhaps…
Cognitive Dissidents (blog.cognitivedissidents.com)
-
Impressed by the new ZeroDayClock effort/collective/call highlighting that the window between vuln and exploit now must be assumed as t=0.Impressed by the new ZeroDayClock effort/collective/call highlighting that the window between vuln and exploit now must be assumed as t=0.
The call to action is solid, though sadly nothing terribly new. Secure by design, adapt policies and practices. Liability, eridacate classes of vulns.
Zero Day Clock
Track Time-to-Exploit (TTE) across 83,000+ CVEs from 10 sources including CISA KEV, ExploitDB, and Metasploit. Median TTE trends, year-over-year analysis, and live exploit intelligence.
Zero Day Clock (zerodayclock.com)
