The hottest Vulnerability Management Substack posts right now

And their main takeaways
Category
Top Technology Topics

Vulnerability Exploitation in the Wild

Resilient Cyber 79 implied HN points 01 Aug 24
🕹 Technology Cybersecurity Data Analysis Software Development Vulnerability Management Risk Assessment
  1. The Exploit Prediction Scoring System (EPSS) helps predict how likely a software vulnerability is to be exploited. It provides a score, so organizations can focus on the vulnerabilities that really matter.
  2. Most vulnerabilities that are reported, about 94%, aren’t even exploited in real life. This means organizations waste a lot of resources on vulnerabilities that pose no threat, highlighting the importance of focusing on the ones that are actually exploited.
  3. The EPSS tool works better than older systems like the Common Vulnerability Scoring System (CVSS). It helps organizations prioritize their efforts because it brings more efficiency in vulnerability management.

Resilient Cyber Newsletter #10

Resilient Cyber 39 implied HN points 20 Aug 24
🕹 Technology Cybersecurity AI Software Development Vulnerability Management Cloud Computing
  1. Security tool sprawl is increasing in organizations, with many now using 70 to 90 different tools, making it harder to manage effectively.
  2. AI can speed up fixing coding vulnerabilities, but many AI-generated codes can be insecure, requiring careful checking by developers.
  3. Understanding systems and processes is key to tackling the complexities of cybersecurity, rather than blaming external forces for challenges in job applications.

Resilient Cyber Newsletter #5

Resilient Cyber 79 implied HN points 16 Jul 24
🕹 Technology Cybersecurity AI Security Cloud Security Vulnerability Management Federal Policy
  1. CISA's Red Team was able to infiltrate a federal agency and remain undetected for five months, highlighting vulnerabilities in government cybersecurity practices.
  2. The U.S. Office of Management and Budget has published new cybersecurity priorities for FY26, focusing on modernizing defenses and improving open-source software security.
  3. Google is close to acquiring the cloud security company Wiz for $23 billion, a move that could strengthen its position against competitors like Microsoft and AWS.

Resilient Cyber Newsletter #4

Resilient Cyber 79 implied HN points 09 Jul 24
🕹 Technology Cybersecurity AI Vulnerability Management Regulation Workforce
  1. Cybersecurity roles are becoming more competitive, and many people want to join the field. It's important to have standards, but we also need to make sure newcomers have a chance to enter the profession.
  2. There's a huge increase in cybersecurity vulnerabilities, making it harder for companies to keep up. Organizations need better ways to manage these vulnerabilities to protect against attacks.
  3. The conversation around AI in cybersecurity is rising, with discussions on how to use it securely and the risks involved. Transparency is key to building trust, especially after high-profile breaches.

Death Knell of the NVD?

Resilient Cyber 199 implied HN points 11 Mar 24
🕹 Technology Cybersecurity Software Data Management Vulnerability Management Open Source
  1. The NIST National Vulnerability Database (NVD) is an important source for understanding software vulnerabilities, but it is facing significant issues. Many vulnerabilities lack timely analysis and critical information.
  2. There is a need for better tagging and categorization of vulnerabilities, such as associating Common Vulnerability Enumeration (CVE) identifiers with specific products. Without this, organizations struggle to know what vulnerabilities affect their systems.
  3. Alternatives to the NVD like the Sonatype OSS Index and the Open-Source Vulnerabilities (OSV) Database are emerging, but they focus primarily on open-source software. The effectiveness and reliability of the NVD remain crucial for broader security practices.
Get a weekly roundup of the best Substack posts, by hacker news affinity:

Resilient Cyber Newsletter #9

Resilient Cyber 19 implied HN points 13 Aug 24
🕹 Technology Cybersecurity AI Automation Compliance Vulnerability Management
  1. Microsoft is tying employee bonuses to security performance, highlighting the importance of prioritizing security in their culture. This means employees are encouraged to choose security over other goals like speed or profit.
  2. There's growing interest in using AI for cybersecurity tasks, including identifying vulnerabilities and automating processes. This technology could help improve security practices but also presents challenges.
  3. The market for security automation is expected to grow significantly. This means companies are looking for ways to streamline their security processes and keep up with new threats efficiently.

The Rise Of Application Security Posture Management (ASPM) Platforms

Resilient Cyber 119 implied HN points 25 Apr 24
🕹 Technology Vulnerability Management Software Development
  1. Application security is becoming more complicated as software development grows, making it hard for teams to keep track of security issues. It's important for teams to have a clear view of application security to effectively manage vulnerabilities.
  2. ASPM platforms are designed to help organizations manage application security more efficiently by combining tools and workflows. They enable teams to see security risks clearly and respond quickly to issues without overwhelming them with alerts.
  3. The integration of security into the development process, known as DevSecOps, aims to reduce vulnerabilities and improve collaboration among teams. With ASPM, businesses can connect security efforts across different stages of software development for better protection.

Resilient Cyber Newsletter #8

Resilient Cyber 19 implied HN points 06 Aug 24
🕹 Technology Cybersecurity AI Vulnerability Management Software Leadership
  1. CrowdStrike is facing lawsuits after a significant outage affected Delta Airlines and many flights. This situation raises concerns about the reliability of software and the idea of software liability.
  2. Cybersecurity has many common mistakes, or anti-patterns, that organizations fall into. These include chasing the latest trends instead of focusing on core security practices.
  3. The SEC's new rules may be harming the effectiveness of Chief Information Security Officers (CISOs) in the U.S., making it harder for them to focus on reducing risks for their organizations.

Edition 27: Secure by Design is important, but requires a different kind of industry effort to achieve it

Boring AppSec 38 implied HN points 10 Nov 24
🕹 Technology Cybersecurity Software Development Policy Analysis Vulnerability Management
  1. The Secure by Design initiative aims to improve software security, but it's unclear how effective it will actually be. Companies might just treat it as another compliance standard without real change.
  2. CISA's approach mixes good ideas with vague guidelines, making it hard for security teams to use effectively. This can lead to companies focusing on basic compliance instead of deeper security improvements.
  3. Awareness initiatives can be helpful, especially for new issues in cybersecurity, but they often become outdated. What worked in the past, like OWASP Top 10, may not be useful for current complex security challenges.

Resilient Cyber Newsletter #2

Resilient Cyber 39 implied HN points 25 Jun 24
🕹 Technology Cybersecurity AI Cloud Security Risk management Vulnerability Management
  1. Companies need to be careful about how much they share regarding their cyber insurance. Revealing this information might make them targets for attackers.
  2. The role of a CISO is changing and becoming more business-focused. Many believe they should focus on leadership rather than just technical tasks.
  3. AI can help improve cybersecurity, but there are also concerns about its use by attackers. It's important to explore how AI can enhance our defenses.

The DBIR is entering its Vulnerability Era

Resilient Cyber 79 implied HN points 03 May 24
🕹 Technology Cybersecurity Data Breaches Vulnerability Management Software Development Risk Assessment
  1. Vulnerability exploitation is growing rapidly, with a 180% increase reported. This means more cyber attackers are taking advantage of software weaknesses.
  2. Organizations are struggling to keep up with vulnerability management. Simply telling them to patch faster isn't enough; they need better strategies to reduce the number of vulnerabilities.
  3. The push for 'Secure-by-Design' software is getting stronger. This approach encourages companies to take responsibility for their products' security, making them safer for everyone.

A Look at the UK's National Cyber Security Centre's Vulnerability Management Guidance

Resilient Cyber 119 implied HN points 25 Feb 24
🕹 Technology Cybersecurity Vulnerability Management Risk Assessment Software updates Compliance
  1. Organizations should have a clear policy to automatically apply software updates. This helps close the gap between when vulnerabilities are identified and when they are fixed, making it harder for bad actors to exploit them.
  2. Knowing what assets you own and who is responsible for them is crucial. Without this information, vulnerabilities could go unaddressed, leading to increased security risks.
  3. The business should take ownership of the risks related to vulnerabilities, not just the security team. It’s important for leadership to understand and document the decisions regarding risks associated with remediation.

Sitting On a Haystack of Digital Needles

Resilient Cyber 179 implied HN points 20 Dec 23
🕹 Technology Cybersecurity Software Development Vulnerability Management Digital Security Risk Assessment
  1. The number of software vulnerabilities is growing really fast, and it's hard for organizations to keep up. Right now, a lot of vulnerabilities get reported, but companies can only fix a small fraction of them each month.
  2. There's a big push for making software safer from the start, so users aren't stuck dealing with problems created by developers. This idea, called 'Secure-by-Design,' aims to shift the responsibility for security onto the companies making the software.
  3. Many organizations are feeling overwhelmed trying to patch vulnerabilities. If they stop, they risk being exploited by attackers, making it feel like a never-ending struggle to stay secure.

SBOM Management

Resilient Cyber 159 implied HN points 18 Dec 23
🕹 Technology Cybersecurity Software Risk management Vulnerability Management Incident Management
  1. SBOMs, or Software Bill of Materials, list components of software products. They help organizations know what parts make up their software, which is important for security.
  2. The NSA offers guidelines for managing SBOMs, emphasizing the need for both software suppliers and consumers to take security seriously. Suppliers should be transparent and accountable, while consumers should ensure their suppliers follow good security practices.
  3. Organizations need effective SBOM tools that can manage and analyze software components, detect vulnerabilities, and facilitate easy reporting. These tools should also be user-friendly to help teams work efficiently.

Security is Not an SBOM Problem

Security Is 39 implied HN points 15 May 24
🕹 Technology Cybersecurity Software Development Vulnerability Management Information Security
  1. A Software Bill of Materials (SBOM) lists all the components in software, which can help in understanding security risks but isn't a magic fix for vulnerabilities.
  2. The real issue with fixing vulnerabilities isn't about having information; it's about how hard and complicated it is to apply patches to software.
  3. While SBOMs are getting a lot of hype, they mostly offer a new format for existing information and may not change how organizations manage security vulnerabilities.

A look at the Exploit Prediction Scoring System (EPSS) 3.0

Resilient Cyber 219 implied HN points 31 Jul 23
🕹 Technology Cybersecurity Vulnerability Management Data Analysis Risk Assessment Software Development
  1. EPSS 3.0 helps security teams focus on the vulnerabilities that are most likely to be exploited soon. This makes managing vulnerabilities easier and more efficient.
  2. Many organizations struggle to fix all their vulnerabilities and often end up wasting time on those that are rarely exploited. EPSS aims to change that by identifying threats more accurately.
  3. The new version of EPSS shows a big improvement in predicting which vulnerabilities are at risk. This means companies can spend less time on unimportant issues and focus on what really matters.

A Digital Scouts Honor

Resilient Cyber 19 implied HN points 09 May 24
🕹 Technology Cybersecurity Software Risk management Compliance Vulnerability Management
  1. The Secure-by-Design Pledge encourages software companies to make their products more secure, focusing on goals like using multi-factor authentication and reducing default passwords. This means companies are promising to create safer software for everyone.
  2. The pledge is voluntary, which means companies are not legally required to follow these guidelines. While this relies on their honesty, it raises trust issues since there's no enforced accountability.
  3. Many big names in tech have signed this pledge, which is a positive step. But it's crucial for more non-security-focused companies to join in for real change to happen in improving software security.

Vulnerability Disclosure Programs (VDP) and PSIRT's

Resilient Cyber 79 implied HN points 18 Dec 22
🕹 Technology Cybersecurity Software Development Vulnerability Management Incident Response Automation
  1. Vulnerability Disclosure Programs (VDP) help software suppliers communicate vulnerabilities to users. Having a clear VDP builds trust and prepares organizations for potential security issues.
  2. A Product Security Incident Response Team (PSIRT) focuses on managing and responding to security issues in products. PSIRTs help organizations effectively analyze vulnerabilities and communicate solutions to their consumers.
  3. Maturity levels for PSIRTs range from basic to advanced, with advanced teams being proactive and integrating security into product development. This approach ensures better security practices and communication throughout the supply chain.

CISA’s Take on Vulnerability Prioritization and Management

Resilient Cyber 59 implied HN points 22 Nov 22
🕹 Technology Cybersecurity Vulnerability Management Automation Software Risk management
  1. CISA emphasizes using machine-readable formats for security advisories to help organizations quickly understand and respond to vulnerabilities. Automating this process can speed up how fast companies act against threats.
  2. The Vulnerability Exploitability eXchange (VEX) helps organizations know if a vulnerability affects their products. This allows them to focus on the most critical risks rather than wasting time on ones that don't impact them.
  3. CISA's Stakeholder Specific Vulnerability Categorization (SSVC) helps organizations prioritize which vulnerabilities to address based on impact and urgency. It guides decision-making with a structured approach to risk management.