Resilient Cyber

Resilient Cyber explores cybersecurity, emphasizing the integration of security into business environments. It addresses challenges like vulnerability management, secure software supply chains, Zero Trust models, and government compliance. The newsletter highlights the importance of built-in security practices, accountability, and collaboration between security and development teams across industries.

Cybersecurity Software Development DevSecOps Software Supply Chain Security Cloud Security Government Compliance AI Security Vulnerability Management Open Source Security

The hottest Substack posts of Resilient Cyber

And their main takeaways

A look at the Open Software Supply Chain Attack Reference (OSC&R)

59 implied HN points 21 Feb 23
🕹 Technology Cybersecurity Software Supply Chain Risk management Frameworks
  1. The Open Software Supply Chain Attack Reference (OSC&R) is a tool designed to help understand software supply chain security risks. It provides a framework to assess various tactics that attackers may use.
  2. One important concept introduced by OSC&R is the Pipeline Bill of Materials (PBOM), which gives a detailed view of everything that happens to a piece of software from start to finish. This helps organizations see risk factors at every stage of the software's life.
  3. Security is a big concern across different areas like container security, open source software, and cloud security. Each area has specific practices to follow to help protect against potential threats.

Supplier Misnomer

59 implied HN points 01 Feb 23
🕹 Technology Cybersecurity Software Open Source Supply Chain Infrastructure
  1. Most modern software relies heavily on Free and Open Source Software (FOSS), but companies often don't have a formal relationship with the maintainers of this software. This means you can't always expect support or responses when issues arise.
  2. Many FOSS projects have limited contributors, and some are maintained by just one person. This can lead to challenges in getting help or updates if needed, making it important for users to be ready to step in if something goes wrong.
  3. As a software user, you need to understand that the responsibility for managing FOSS lies with you. If you want maintainers to act like suppliers, consider supporting them financially, or be prepared to handle any risks yourself.

Going Down With the Ship

39 implied HN points 31 May 23
🕹 Technology Cybersecurity Software Development Risk management
  1. Many organizations have a huge number of open vulnerabilities, but they struggle to fix them fast enough. This creates a risky situation where bad actors can exploit these weaknesses quickly.
  2. Despite new tools and approaches, cybersecurity continues to lag behind the speed of threats. Adding more security tools doesn't necessarily make things safer and can actually create confusion and overload for teams.
  3. Security should be treated as an ongoing process, not just something to buy or check off a list. If we keep doing the same thing without real change, we’ll keep facing the same problems.

Troublesome Tenants

59 implied HN points 16 Jan 23
🕹 Technology Cloud Computing Cybersecurity Data Privacy Software Development Information Technology
  1. The PEACH Framework helps with cloud security by focusing on tenant isolation. It gives guidance on how to keep different customer data safe from each other.
  2. Multi-tenancy in cloud computing can bring risks, especially if security isn't handled correctly. It's important for both cloud service providers and users to understand these risks and take steps to protect themselves.
  3. Effective tenant isolation involves using several methods, like reducing complexity and improving separation. These strategies help ensure that one tenant's data doesn’t accidentally mix with another's.

Application Security Maturity Models

59 implied HN points 03 Jan 23
🕹 Technology Cybersecurity Software Development
  1. OWASP's Software Assurance Maturity Model (SAMM) helps organizations check how secure their software practices are and plan for improvements. It breaks down the process into different business functions to make it manageable.
  2. SAMM outlines specific security practices organizations should follow during software development, including governance, design, implementation, verification, and operations. Each area has suggested actions to help raise security standards.
  3. It's important to cautiously evaluate self-attestations from third-party software vendors regarding security compliance. Additional tools like Software Bill of Materials (SBOM) can help provide clearer insights into software vulnerabilities.
Get a weekly roundup of the best Substack posts, by hacker news affinity:

CISA’s Take on Vulnerability Prioritization and Management

59 implied HN points 22 Nov 22
🕹 Technology Cybersecurity Vulnerability Management Automation Software Risk management
  1. CISA emphasizes using machine-readable formats for security advisories to help organizations quickly understand and respond to vulnerabilities. Automating this process can speed up how fast companies act against threats.
  2. The Vulnerability Exploitability eXchange (VEX) helps organizations know if a vulnerability affects their products. This allows them to focus on the most critical risks rather than wasting time on ones that don't impact them.
  3. CISA's Stakeholder Specific Vulnerability Categorization (SSVC) helps organizations prioritize which vulnerabilities to address based on impact and urgency. It guides decision-making with a structured approach to risk management.

An Incomplete Look at Vulnerability Databases & Scoring Methodologies

59 implied HN points 22 Nov 22
🕹 Technology Cybersecurity Software Databases Vulnerabilities Scoring
  1. Vulnerability databases like CVE and NVD help identify and score software weaknesses. This scoring helps companies prioritize what to fix first to keep users safe.
  2. The Common Vulnerability Scoring System (CVSS) rates how severe a vulnerability is. This helps organizations understand the impact and urgency of addressing the risk.
  3. New systems like the Open-Source Vulnerabilities (OSV) database and Global Security Database (GSD) aim to improve how vulnerabilities are recorded and shared, making it easier for developers to manage risk.

April Event Round-Up and Public Speaking

39 implied HN points 04 Apr 23
🕹 Technology Cybersecurity Compliance Cloud Computing Public Speaking
  1. There are several public speaking events related to security and compliance happening in April. These focus on topics like Software as a Service (SaaS) security and building secure programs.
  2. One important event will discuss how to create a compliance program for federal services, emphasizing the balance between development speed and security. This is crucial for companies navigating these challenges.
  3. Another key topic is Software Transparency and how to secure the software supply chain. This issue is becoming more important as many businesses rely on software solutions, and it's something experts are starting to address more.

The why and how of SaaS Governance

39 implied HN points 06 Feb 23
🕹 Technology Cloud Security Cybersecurity Risk management Compliance
  1. Organizations need a solid plan to manage the security risks associated with their wide use of Software as a Service (SaaS). This includes knowing what SaaS applications they use and applying security measures.
  2. Many companies focus heavily on securing their infrastructure services like AWS or Azure, but they often overlook the significant risks that come with SaaS applications. This can lead to security breaches.
  3. It's important for businesses to understand the shared responsibility model in cloud security and realize that while SaaS providers handle some security, the ultimate responsibility for data protection still lies with the organization.

Software Supply Chain Attack Types

39 implied HN points 24 Dec 22
🕹 Technology Cybersecurity Software Supply Chain Software Development Malware
  1. Software supply chain attacks can happen in many ways. It’s important to understand the different attack types to protect against them effectively.
  2. Negligence in software practices can lead to serious problems. Simple mistakes like not checking dependencies can let bad code slip into your projects.
  3. Using digital signing helps ensure software integrity, but it’s not foolproof. It's vital to use additional security measures to keep systems safe from multiple vulnerabilities.

You're Vulnerable - And Malicious Actors Know It

19 implied HN points 10 Apr 23
🕹 Technology Cybersecurity Vulnerabilities Software Data Protection
  1. Many organizations have old vulnerabilities in their systems that are not being fixed. These vulnerabilities can be easily exploited by hackers.
  2. There are millions of public instances still vulnerable to known security issues, and a significant number of these vulnerabilities have existed for over five years.
  3. The way we manage and address these vulnerabilities isn't working well. Companies need to improve their systems to keep up with the increasing number of vulnerabilities and threats.

Trust Through Transparency

19 implied HN points 23 Jan 23
🕹 Technology Cybersecurity Software Data Privacy Compliance
  1. People are demanding more transparency in digital systems. This means consumers want to know what software they are using and how it is made.
  2. There's a strong push for companies to adopt Zero Trust, meaning no one gets automatic access. Every access request needs to be verified.
  3. Privacy regulations are changing, with more laws being introduced to protect personal data. Companies need to be clear about how they collect and use consumer information.

Microsoft’s Secure Supply Chain Consumption Framework (S2C2F)

0 implied HN points 22 Nov 22
🕹 Technology Open Source Supply Chain Frameworks Development Practices
  1. Microsoft created the Secure Supply Chain Consumption Framework (S2C2F) to help organizations manage their use of open-source software securely. Its goal is to improve safety when using external code libraries.
  2. The framework has three main goals: to ensure good governance of open-source software, to quickly fix known security issues, and to avoid using harmful software packages. These goals guide the practices that organizations should adopt.
  3. S2C2F also emphasizes the need for continuous learning and improvement in security practices. Organizations are encouraged to regularly assess their security measures and adapt to new threats as they arise.

What do you mean there isn't a patch?

0 implied HN points 10 Jan 23
🕹 Technology Cybersecurity Software Vulnerabilities Network Security Web applications
  1. Sometimes software has vulnerabilities that don’t have a fix available. Companies might struggle to issue patches due to resource limits or internal priorities.
  2. When a direct patch isn't available, businesses can use virtual patching. This means putting up barriers to stop attacks, like using Web Application Firewalls (WAF).
  3. It's important to plan for virtual patching and keep checking your systems. While virtual patches help, they are temporary solutions, so long-term fixes are necessary.

Securing the Software Supply Chain

0 implied HN points 22 Nov 22
🕹 Technology Cybersecurity Software Development Supply Chain Information Security Open Source
  1. Software supply chain security is becoming more important due to recent cybersecurity incidents. Developers, suppliers, and customers all play key roles in keeping software secure.
  2. Using secure development practices, like threat modeling and regular security testing, helps prevent vulnerabilities from being introduced. It's crucial to have proper processes and training for developers.
  3. Organizations should verify third-party components and ensure a secure build environment to avoid compromising software. Having clear policies and tools in place can significantly reduce the risk of software supply chain attacks.

Coming soon

0 implied HN points 11 Oct 22
🕹 Technology Cybersecurity Cloud Software Security
  1. The newsletter focuses on important topics like Cybersecurity and Cloud technologies. These are crucial for protecting information online.
  2. It covers DevSecOps, which combines software development, security, and operations. This helps in making sure that software is safe and reliable.
  3. Software Supply Chain Security is another key topic, aiming to keep software from being tampered with or compromised. It's about ensuring that the entire process of software creation is secure.

Breaking Down the DoD Software Modernization Strategy

0 implied HN points 22 Nov 22
🇺🇸 U.S. Politics Government Policy Defense Strategy Cybersecurity Software Development National Security
  1. The DoD aims to modernize its software to keep up with technology and improve national security. This modernization will help deliver better tools to military operations and humanitarian efforts.
  2. A big focus is on using cloud technology and DevSecOps for faster software delivery. This means creating safer software that can adapt quickly to changing needs.
  3. Changing policies and processes is just as important as new technology. The DoD needs to make sure the people involved are on board and that rules are updated to help speed up innovation.