TLDR; * For Application Security, start with Threat Modeling including Context. Look at all our architecture diagrams and start evaluating from an attacker's mind. * When using Open Source dependencies, start with a Baseline Vulnerability Scan and do a continuous process to review and evaluate dependencies. * Understand dependencies, SBOM to
October 13, 2023
TLDR; * Context is key when it comes to Vulnerability Management. Instead of focusing on Vulnerabilities by severity, organizations should evaluate the exploitability and actively exploited vulnerabilities for Prioritization. * When looking at Vulnerabilities do not take CVSS Base score at face value, organizations should understand & utilize Temporal and Environmental elements
September 29, 2023
TLDR; * Detailed Understanding on particular capability with overview of entire architecture is very important from a Threat Modeling perspective. * Create Checklists to scale security in an organization. Involve all teams, and when possible invest and nurture a security champions program. * Security is a journey not a destination. Celebrate small wins.
September 08, 2023