Today I had the privilege of being involved in Tidelift‘s Upstream 2024 virtual conference. The conference as a whole was fantastic, I watched every talk and there is some really great content there about open source security and how it’s being looked at and considered by multiple industries. A lot of really great content here, much of it centered around some of the problems and potential solutions, using events like the xz-utils incident, log4shell, and others as a basis for the conversation.
My talk topic shouldn’t be a surprise, it was entitled “Patch management needs a revolution” and talks about what I typically talk about — security needs to be risk-based, not compliance. The compliance approach is crushing everyone (vendors, customers) and it isn’t actually helpful or effective. We need a different approach, one that targets where most breaches and compromises happen, and it’s demonstrably not due to software exploitation.
If you got here and you’re wondering why I’m assuming the topic shouldn’t be a surprise, you might want to check out my earlier posts: Rethinking Risk in Vulnerability Management and Red Hat Summit 2024 (which has a few links to different talks about the same topic).
If you have the time, you should head over and watch the talks (not just mine!). If you don’t have the time, you should make the time. Honestly, it’s well worth it.