There have been a few neat opportunities to write and discuss a variety of topics over the last few weeks that have been published. The most recent is a blog post I co-authored with Tracy Ragan at DeployHub entitled SBOMs, So Far, So Good, So What? where we take a look at the concerning trend of everyone talking about what a good SBOM (Software Bill of Materials) should be, but very little on how to consume it, or what you do once you've got it. Actually, I was discussing the topic with my wife and, amusingly, we had watched Conan the Destroyer a few weeks ago and she said: "Grab it, and take it!" to which I responded: "Once you've got it, what do you do with it?" -- I didn't think that was the most appropriate way to title the blog post though.
For those who've never seen Conan the Destroyer, here's a clip of the scene although it doesn't have her followup of "once you've got him, what do you do with him?" 🤣
In other news, I was featured in the latest Red Hat Security Detail episode, CVE and CVSS explained | Security Detail that I had gone to Raleigh, NC last year to film. I thought it turned out pretty well, and is me (again) talking about a risk-based approach to vulnerability management vs the old-school (and ineffective) check-box-based security. There's a companion article entitled What is a CVE? to go along with the video.
Finally, I had a co-worker who is from Eastern Canada who was in town for a day and he has this thing on LinkedIn called "Todd Talks" so we did two videos for that. The first is again talking about vulnerability management in my kitchen: Todd Talks security 1 and the second Todd Talks security 2 where we talk about risk profiles and vulnerability scoring.
These aren't things I would necessarily be comfortable doing in the past, but I'm leaning into them because there's some really good messaging that needs to go out. So hopefully these inspire some new thinking about how we fix vulnerabilities, and when, while also keeping the conversation going. When I talk to customers 1:1 and explain this, they understand... fixing all vulnerabilities isn't scalable or effective, and the numbers bear that out (see the 2022 Product Security Risk Report particularly when it comes to known exploitation). We could spend a lot of time fixing things that don't matter, or we can spend time fixing what truly matters, responding quickly when it starts to matter, and focus engineering and operational effort on things that actually provide value.
There's a lot to talk about there, and a lot of old-school thinking that needs to be changed. Let the conversation continue!