Resilient Cyber

Resilient Cyber explores cybersecurity, emphasizing the integration of security into business environments. It addresses challenges like vulnerability management, secure software supply chains, Zero Trust models, and government compliance. The newsletter highlights the importance of built-in security practices, accountability, and collaboration between security and development teams across industries.

Cybersecurity Software Development DevSecOps Software Supply Chain Security Cloud Security Government Compliance AI Security Vulnerability Management Open Source Security

The hottest Substack posts of Resilient Cyber

And their main takeaways

CISA - Secure Software Development Attestation Final Form

79 implied HN points 13 Mar 24
🕹 Technology Cybersecurity Software Development Government Policy Regulatory Compliance
  1. CISA has released a final form for secure software development that vendors need to follow to sell software to the Federal government. This means companies must prove their software is developed with important security practices.
  2. The attestation form applies to software developed or significantly changed after September 14, 2022, making it crucial for many vendors. This rule covers popular Software as a Service (SaaS) products as well.
  3. Not all software is included; for example, software created directly by Federal agencies and open-source software is exempt. This leaves some gaps in security measures that need attention, especially for software that might still pose risks.

OWASP LLM AI Cybersecurity & Governance Checklist

79 implied HN points 06 Mar 24
🕹 Technology AI Cybersecurity Governance Compliance Risk management
  1. Organizations need to understand the unique risks of using Large Language Models (LLMs) and Generative AI, and they should create clear strategies for managing these risks.
  2. Having an AI asset inventory is crucial so that companies know what AI tools they are using and who is responsible for them.
  3. Safety training for employees on AI tools can help prevent misuse and create a culture of transparency within the organization.

Defending CI/CD Environments - The NSA/CISA Way

299 implied HN points 29 Jun 23
🕹 Technology Cybersecurity Software Development DevOps Cloud Computing Information Security
  1. CI/CD environments are crucial for the development and delivery of software, but they can also be targeted by hackers. It's important to secure these systems to prevent attacks.
  2. The NSA and CISA have released guidelines that offer best practices for protecting CI/CD pipelines. Using existing frameworks and tools can help improve security effectively.
  3. Transitioning to a Zero Trust model is recommended to enhance security in software development. This approach minimizes risks by ensuring that all access is restricted and monitored.

Resilient Cyber Newsletter #3

19 implied HN points 02 Jul 24
🕹 Technology Cybersecurity Software Cloud Security AI Security Open Source
  1. There is no clear standard for 'reasonable' cybersecurity in the U.S., making it hard to hold organizations accountable for data breaches. This means it's important to define what basic security should look like.
  2. The role of Chief Information Security Officers (CISOs) is evolving and there's discussion about possibly splitting their responsibilities. However, many believe that a strong CISO needs both technical skills and business understanding to be effective.
  3. Supply chain attacks are growing and affecting numerous organizations and open-source projects. This highlights the need for better security practices since many important projects are maintained by volunteers and are often under-resourced.

Top 10 Cybersecurity Misconfigurations

179 implied HN points 15 Oct 23
🕹 Technology Cybersecurity Information Systems Cloud Security Network Security Data Protection
  1. Many data breaches happen because of misconfigurations. This means that fixing these issues is often more important than just finding software vulnerabilities.
  2. Organizations need to regularly update their software and manage user privileges better. This can help prevent attackers from taking advantage of weak points in the system.
  3. Monitoring network activity is crucial. Without it, businesses may not realize they are being attacked and might suffer more damage.
Get a weekly roundup of the best Substack posts, by hacker news affinity:

False Dichotomies and Overemphasizing Open Source Security

239 implied HN points 21 Jul 23
🕹 Technology Software Security Open Source Development
  1. There's a lot of focus on securing open source software, but it's important not to ignore the risks in proprietary software too. Both types of software can have serious security issues.
  2. Most code in applications is actually custom code, not open source, which means organizations should pay more attention to their own code for vulnerabilities. Just scanning for problems in open source might not solve the main issues.
  3. Finding a balance between securing open source and proprietary software is key. We need to focus on the right vulnerabilities and not overload developers with unnecessary work.

A look at the Exploit Prediction Scoring System (EPSS) 3.0

219 implied HN points 31 Jul 23
🕹 Technology Cybersecurity Vulnerability Management Data Analysis Risk Assessment Software Development
  1. EPSS 3.0 helps security teams focus on the vulnerabilities that are most likely to be exploited soon. This makes managing vulnerabilities easier and more efficient.
  2. Many organizations struggle to fix all their vulnerabilities and often end up wasting time on those that are rarely exploited. EPSS aims to change that by identifying threats more accurately.
  3. The new version of EPSS shows a big improvement in predicting which vulnerabilities are at risk. This means companies can spend less time on unimportant issues and focus on what really matters.

What vulnerabilities were malicious actors focused on in 2022?

199 implied HN points 14 Aug 23
🕹 Technology Cybersecurity Software Vulnerabilities Risk management Cloud Security
  1. Malicious actors focused heavily on Microsoft vulnerabilities in 2022, highlighting the importance for organizations to stay updated with security patches.
  2. Vendors and developers should identify often exploited vulnerabilities and hold business leaders responsible for security practices.
  3. End-user organizations need to enforce strong security measures, like multi-factor authentication, and continuously monitor their systems to protect against possible threats.

Modernizing FedRAMP

139 implied HN points 30 Oct 23
🕹 Technology Cloud Computing Cybersecurity Government Policy Regulatory Compliance Information Technology
  1. FedRAMP is being updated to make it easier for the government to use cloud services. The goal is to increase the number of authorized cloud providers and reduce the complicated process that currently exists.
  2. The memo emphasizes the use of automation and machine-readable formats to speed up compliance processes. This means that instead of relying on paper documents, they'll use technology to better manage security assessments.
  3. There's a push to allow more existing security certifications to count towards FedRAMP requirements. This could help smaller businesses enter the market and expand the options available for federal agencies.

U.S. Cyber Trust Mark

79 implied HN points 24 Jan 24
🕹 Technology Cybersecurity Consumer Products Software Development
  1. The U.S. Cyber Trust Mark is a new program that helps consumers identify smart devices that are safer from cyber attacks. It's like an energy efficiency label but for cybersecurity.
  2. This program helps manufacturers create standards that make devices both secure and easy to sell internationally. It aims to solve problems that come from different security rules across countries.
  3. Consumers need better information when buying tech products because many devices, especially IoT ones, can pose security risks. The labeling will educate consumers on the safety of their purchases.

Not all BOM's are Created Equal

119 implied HN points 07 Nov 23
🕹 Technology Cybersecurity Software Compliance Supply Chain Open Source
  1. Not all software bills of materials (SBOMs) are the same, and they are important for software supply chain security. They help provide transparency about the components within software.
  2. The BOM Maturity Model can help evaluate how complete and useful a BOM is. It measures difficulty in obtaining data and assesses how well the BOM meets certain standards.
  3. As the industry works towards better SBOMs, tools and resources like the OWASP guides are crucial. They aim to improve understanding and detail in software management, similar to standards in food or pharmaceuticals.

Cybersecurity Workforce Woes

1 HN point 16 Sep 24
🕹 Technology Cybersecurity Workforce Education Employment
  1. The cybersecurity job market is confusing, with many positions unfilled while experienced professionals struggle to find jobs. This suggests a mismatch between job demands and qualifications.
  2. Budget cuts are affecting cybersecurity staffing and resources, causing many companies to hire only to replace existing employees rather than expand. This reflects a general slowdown in budget growth for security initiatives.
  3. There are challenges for new entrants trying to break into cybersecurity jobs due to high experience requirements and a lack of practical opportunities. Many educated candidates still find it hard to secure roles, leading to frustration.

Cybersecurity First Principles & Shouting Into the Void

239 implied HN points 28 Apr 23
🕹 Technology Cybersecurity Software Development Data Privacy Regulatory Compliance
  1. Cybersecurity issues won't fix themselves through friendly advice. The market often tolerates insecure products, leading to many security breaches that affect us all.
  2. Changing how we handle cybersecurity needs new rules. We must shift accountability and liability to make companies take security seriously and protect the data of their customers.
  3. Cybersecurity can be a key part of business success. If companies start prioritizing security due to regulations, it could help reduce risks and become a real advantage.

Secure-by-Design (and Demand)

119 implied HN points 20 Oct 23
🕹 Technology Cybersecurity Software Development Risk management Market Dynamics
  1. Software companies should take more responsibility for keeping their products secure. It's not fair for the burden of safety to rest solely on customers.
  2. Transparency is vital in building trust. Companies should openly share their security practices and incident reports to help everyone strengthen their defenses.
  3. Customers can drive change by choosing to buy from companies that promote secure products. When buyers demand safety, companies will start to respond.

The Elusive Built-in not Bolted-on

239 implied HN points 17 Apr 23
🕹 Technology Cybersecurity Software Development Risk management Public Policy Systems Design
  1. Cybersecurity should be included from the start of product design, not added later. This means making security a priority throughout the whole development process.
  2. Products should come secure by default, so users don't have to figure out how to protect themselves. Just like cars come with seatbelts, software needs built-in security features.
  3. There needs to be accountability for software security. Companies should not shift the blame to users but should instead be responsible for ensuring their products are secure and safe to use.

Public Sector Compliance Conundrums

19 implied HN points 23 May 24
🕹 Technology Cybersecurity Compliance Software Development Cloud Services Innovation
  1. Public sector organizations struggle with balancing cybersecurity, innovation, and compliance. They need faster software delivery while keeping systems secure, which is a tricky balance.
  2. Programs like FedRAMP and the Authority to Operate (ATO) process are seen as too complicated and slow, making it hard for the government to adopt new cloud services quickly. This can lead to workarounds that compromise security.
  3. The push for secure software supply and self-attestation aims to improve security but can add more complexity for software suppliers. Striking the right balance between security and accessibility is essential.

What's in a name?

79 implied HN points 04 Dec 23
🕹 Technology Software Cybersecurity Vulnerabilities
  1. Software identification is important for managing everything from consumer products to national security, but the current naming systems are confusing and inconsistent.
  2. There are several ways to identify software, like Common Platform Enumeration (CPE), Package URL (PURL), and Software Identification Tags (SWID), each with its own uses and challenges.
  3. A unified approach to software identification is needed, but there are various paths forward, including using a single identifier or multiple formats, which could complicate things further.

A Digital Scouts Honor

19 implied HN points 09 May 24
🕹 Technology Cybersecurity Software Risk management Compliance Vulnerability Management
  1. The Secure-by-Design Pledge encourages software companies to make their products more secure, focusing on goals like using multi-factor authentication and reducing default passwords. This means companies are promising to create safer software for everyone.
  2. The pledge is voluntary, which means companies are not legally required to follow these guidelines. While this relies on their honesty, it raises trust issues since there's no enforced accountability.
  3. Many big names in tech have signed this pledge, which is a positive step. But it's crucial for more non-security-focused companies to join in for real change to happen in improving software security.

Cloud Compliance - At the Speed of Government

119 implied HN points 05 Jun 23
🕹 Technology Cybersecurity Cloud Computing Risk management
  1. Federal cloud compliance processes take a long time, as seen with FedRAMP taking almost three years to update its security baselines to align with NIST 800-53 revisions.
  2. Cloud service providers have a very short timeframe to adapt to these updates, which creates a confusing double standard where industry has to move faster than the government.
  3. While there's a growing focus on securing the software supply chain, cloud service providers were unregulated in this area for years, despite their crucial role in cybersecurity.

Software Transparency

119 implied HN points 30 May 23
🕹 Technology Cybersecurity Software Supply Chain Risk management Transparency
  1. Software supply chain attacks are increasing rapidly, with a reported rise of 742% in the last three years. This highlights the need for better security measures in software development.
  2. The book discusses various strategies for managing supply chain risks. It covers topics like vulnerability databases, software bills of materials (SBOM), and practical guidance for both suppliers and consumers.
  3. There is a growing push for software transparency to address systemic risks. This involves collaboration between development, security, and operations, as well as understanding regulations and emerging best practices.

2023 National Cybersecurity Strategy

159 implied HN points 02 Mar 23
🇺🇸 U.S. Politics Cybersecurity National Security Public Policy Government Strategy International relations
  1. The 2023 National Cybersecurity Strategy emphasizes the need for everyone in society to work together to improve cybersecurity. This means technology companies, governments, and individuals all have roles to play.
  2. Critical infrastructure, like power and communication systems, needs stronger protections from cyber threats. The strategy calls for businesses to take responsibility for securing these systems.
  3. The strategy also aims to change market forces to incentivize companies to prioritize cybersecurity in their products. This could lead to safer technology and fewer cyber risks for everyone.

The Illusion of Security and Safety

119 implied HN points 11 May 23
🕹 Technology Cybersecurity Society Philosophy Law enforcement International relations
  1. Our physical security measures are often weaker than we think. For instance, common locks can be picked easily, which shows that our sense of security might be just an illusion.
  2. Safety relies on societal agreements, not just on laws or security measures. People generally choose to respect each other's property, which is why we don't face crime constantly.
  3. Our cybersecurity is similarly vulnerable. Current defenses work against normal cyber crime, but if serious attacks from nation-states happen, our systems may not hold up at all.

Sign Here on the Dotted Line

119 implied HN points 01 May 23
🕹 Technology Cybersecurity Software Development Federal Policy Risk management
  1. The Federal government is focusing on secure software development, requiring software suppliers to prove they follow certain security practices. This means companies must show they are making software safely before selling it to federal agencies.
  2. Software developers must also consider how they use open-source software, as they need to show they manage risks associated with those components. This makes them responsible for any issues that might arise from using other people's code.
  3. Additionally, there is a process where companies can report if they can't meet all the secure practices. This allows them to explain any gaps in compliance and outline their plans to fix them later.

Vulnerability Management and Developer Toil

119 implied HN points 02 Apr 23
🕹 Technology Cybersecurity Vulnerabilities Software Developers Data Analysis
  1. Vulnerability management is crucial for security but often overwhelms developers with too much information. It’s important to focus on vulnerabilities that really pose a risk, instead of just following strict checklists.
  2. The number of vulnerabilities has exploded in recent years, but most are never exploited. Organizations need better ways to prioritize which vulnerabilities to address based on actual risk, rather than just severity scores.
  3. Security teams should work more closely with developers to reduce friction and support their efforts. Improving communication and providing context can make security a partner, not a blocker.

Cloud Shared Responsibility Model: Time for an (R)Evolution?

119 implied HN points 27 Mar 23
🕹 Technology Cloud Computing Cybersecurity Data Privacy Information Technology
  1. The Shared Responsibility Model (SRM) explains that cloud customers and service providers each have their own security duties. Customers need to understand their roles to prevent most data breaches, which are often due to customer mistakes.
  2. Google Cloud introduced the idea of 'Shared Fate,' encouraging cloud providers to take an active role in helping customers secure their environments. This shift acknowledges that both sides must work together for better security outcomes.
  3. There are growing concerns about the risks of relying on a few major cloud providers. If one suffers a security issue, it can affect everyone, highlighting the need for a community approach to cloud security and trust.

Security Throwing Toil Over the Fence

99 implied HN points 10 May 23
🕹 Technology Cybersecurity Software Development DevOps Application Security Innovation
  1. It's important to shift security measures smartly rather than just shifting them left in the development cycle. We need the right context to effectively identify real risks in applications.
  2. Many security tools produce a lot of noise and false positives, which frustrates developers. If security teams provide context-rich insights instead, it would help everyone work better together.
  3. There’s a cultural gap where security teams dump problems on developers without proper context, leading to resentment. Improving communication and collaboration can help avoid this issue.

The Secure Software Self-Attestation Saga Continues

79 implied HN points 12 Jun 23
🕹 Technology Cybersecurity Software Development Government Policy Supply Chain Open Source
  1. The U.S. government is focusing on improving software security and has set deadlines for software suppliers to prove they follow secure practices. Agencies now have more time to collect necessary confirmations from their software producers.
  2. Software suppliers are responsible for the security of all parts of their software, including third-party components. They need to understand where these components come from and how safe they are.
  3. Free software provided by vendors is not required to meet security standards set by the government. This creates challenges since free software can still have vulnerabilities that might put agencies at risk.

Risk Tolerance & Raising the Technical Debt Ceiling

79 implied HN points 22 May 23
🕹 Technology Cybersecurity Data Management Risk Assessment Software Development
  1. Many organizations don't clearly define their risk tolerance in cybersecurity, impacting their ability to manage risks effectively. If a company doesn't know what risks it faces, it can't protect itself properly.
  2. There's a significant gap in measuring and understanding risks, especially with the rise of cloud services and software. Organizations often struggle to keep track of what software and hardware they use, leading to hidden vulnerabilities.
  3. Organizations are facing a backlog of vulnerabilities that they can't keep up with. If too many risks are left unresolved, it raises questions about their actual risk appetite and ability to protect themselves.

Top 10 OSS Risks

99 implied HN points 13 Mar 23
🕹 Technology Software Security Development Open Source Risk management
  1. Open Source Software (OSS) is widely used, making up a large part of many software applications. However, it's essential to be aware of the risks it poses, as vulnerabilities in OSS can impact many users simultaneously.
  2. One major risk is the compromise of legitimate OSS packages, where attackers can hijack code or repositories to insert malicious elements, which can then spread to organizations using that software.
  3. Another concern is outdated or unmaintained OSS, which can lead to security issues if the software isn’t updated regularly. Organizations need to keep track of the OSS they use and ensure it's actively maintained.

The Combined Power of SAST and Threat Modeling

99 implied HN points 07 Mar 23
🕹 Technology Cybersecurity Software Information Security Risk management
  1. Using SAST tools helps find security problems in an app's code. It's important to have tools that are easy to use and can be customized based on your needs.
  2. Threat modeling is about figuring out what security risks exist and how likely they are to happen. It helps you focus on the most important threats to your applications.
  3. Combining SAST and threat modeling makes both methods stronger. By knowing your threats, you can use SAST better to fix specific vulnerabilities in your software.

Striving Towards Implementing the National Cybersecurity Strategy (NCS)

59 implied HN points 17 Jul 23
🕹 Technology Cybersecurity Policy Implementation Collaboration Infrastructure
  1. The National Cybersecurity Strategy emphasizes that big companies and government agencies should take more responsibility in managing cyber risks. This means they need to invest in better security measures to protect everyone.
  2. There are five main goals in the strategy, including making sure critical services are safe, working with the private sector, and responding quickly to cyber threats. It's all about teamwork between different sectors for better security.
  3. The plan is a living document that will change as needed. It includes specific actions and timelines, showing that the government is committed to making real improvements in cybersecurity.

A look at the DoD's Zero Trust Strategy

119 implied HN points 27 Nov 22
🕹 Technology Cybersecurity Information Systems Digital Transformation Risk management
  1. The Department of Defense is adopting a Zero Trust strategy to improve security by not automatically trusting any user or device, and it aims to fully implement this approach in five years.
  2. Key goals of the strategy include fostering a culture of Zero Trust within the organization, accelerating technology adoption, and ensuring DoD systems are secure and well-defended.
  3. Success relies on collaboration across all levels of the DoD, as well as proper funding and resources to support the technology and cultural shifts needed for this new security model.

Breaking Down the DoD Software Modernization Strategy

79 implied HN points 13 Apr 23
🕹 Technology Software Development Cybersecurity Cloud Computing Defense technology Information Systems
  1. The Department of Defense (DoD) wants to modernize its software to keep up with technology and improve national security. They plan to deliver software that is reliable and fast to adapt to changing needs.
  2. A key part of the strategy is embracing cloud technologies and making sure software can withstand and recover from issues. This means investing in modern tech and improving processes to speed up software delivery.
  3. To achieve these goals, the DoD recognizes the importance of updating how it trains and manages its workforce. They need to make sure their team is skilled and ready to adapt to new technologies and ways of working.

Software Supply Chain Attack Types

79 implied HN points 28 Feb 23
🕹 Technology Cybersecurity Software Development Supply Chain Threats
  1. Software supply chain attacks are not new and have been happening for decades, with many recent high-profile cases shining a light on them.
  2. There are several types of attack vectors, including issues with developer tools, negligence in following security practices, and problems with trust and code signing.
  3. Malicious actors often combine different attack methods to cause harm, so it's important for organizations to have strong security measures in place to protect their software supply chain.

Dissecting the FedRAMP Authorization Act

99 implied HN points 04 Dec 22
🇺🇸 U.S. Politics Legislation Cybersecurity Cloud Computing Federal Government
  1. The FedRAMP Authorization Act aims to improve how federal agencies adopt cloud services. It highlights the importance of cloud for modernizing old IT systems and creating jobs in the tech sector.
  2. A key change in the legislation is the creation of a Federal Secure Cloud Advisory Committee. This group will include experts from both the government and private sector to streamline cloud service authorizations and improve communication.
  3. Another important aspect is the 'Presumption of Adequacy', which allows agencies to trust existing FedRAMP authorizations without needing extra checks. This should reduce the repetitive security assessments that cloud service providers currently face.

Enter the Matrix

79 implied HN points 13 Feb 23
🕹 Technology Cybersecurity Tooling Frameworks Risk management
  1. The Cyber Defense Matrix helps organizations understand their security tools better. It allows teams to see what tools they have, find overlaps, and spot gaps in their defenses.
  2. Cybersecurity tool sprawl is a big issue where companies use many different tools, often without fully understanding how well they work. This can make it harder to respond to threats effectively.
  3. Investing more in technology than in the people and processes can lead to a weaker security response when incidents occur. It's important to balance resources across technology, people, and processes.

Building a Compliance and AppSec Program for a Federal Platform-as-a-Service (PaaS)

59 implied HN points 11 Apr 23
🕹 Technology Cybersecurity Cloud Computing DevOps Compliance Software Development
  1. Building a compliance and AppSec program for a federal Platform-as-a-Service is challenging. It's important to understand which security controls can be inherited by development teams.
  2. Scaling the compliance program across multiple teams can lead to unique challenges. It's crucial to onboard each team effectively while minimizing their workload.
  3. Developers need support in balancing security and compliance with their work. Educating auditors about cloud practices is also important for smoother collaboration.

Vulnerability Disclosure Programs (VDP) and PSIRT's

79 implied HN points 18 Dec 22
🕹 Technology Cybersecurity Software Development Vulnerability Management Incident Response Automation
  1. Vulnerability Disclosure Programs (VDP) help software suppliers communicate vulnerabilities to users. Having a clear VDP builds trust and prepares organizations for potential security issues.
  2. A Product Security Incident Response Team (PSIRT) focuses on managing and responding to security issues in products. PSIRTs help organizations effectively analyze vulnerabilities and communicate solutions to their consumers.
  3. Maturity levels for PSIRTs range from basic to advanced, with advanced teams being proactive and integrating security into product development. This approach ensures better security practices and communication throughout the supply chain.

OMB 22-18 and NIST's SSDF

79 implied HN points 11 Dec 22
🕹 Technology Cybersecurity Software Development Government Policy Compliance Supply Chain
  1. Federal agencies must collect self-attestations from software vendors about their secure development practices, following NIST's guidelines.
  2. The NIST Secure Software Development Framework (SSDF) encourages integrating security early in the software development process, rather than addressing it later on.
  3. Industry groups are raising concerns about the requirements for transparency in the software supply chain, which could lead to delays in implementing necessary security measures.