Chris --good article, but there are a couple points that need further exposure.
First, the entire paradox of those SOB’s in the security office is brought to the enterprise by the fact Congress grant software industry a waiver to the Universal Commercial Code’s “warranty of merchantability” and “fitness for use” liabilities. The nexus is as you pointed in the article a few thousand CVEs in the 1990’s to the malignant obesity of 2023. You might have focused the article on quantifying the unplanned and un-resourced/under-resourced patch management burden foisted on commercial and government customers. We need to flip the script because we both know the big software vendors are profiting by offering vulnerable code and then vertically integrating their product line into selling security tools to”help” remediate their bad code. Hence, get on the band wagon of section 3 of the recently released National Cybersecurity Strategy.
2. You under-stated the aspect adversaries of weaponizing older vulnerabilities. That is just the iceberg above waterline the bigger issue is those unpatched older vulnerabilities that have been weaponized but retained for the future and those zero day exploits that are way below waterline. The law of diminishing interest in older vulnerabilities makes the attack surface even bigger.
Chris --good article, but there are a couple points that need further exposure.
First, the entire paradox of those SOB’s in the security office is brought to the enterprise by the fact Congress grant software industry a waiver to the Universal Commercial Code’s “warranty of merchantability” and “fitness for use” liabilities. The nexus is as you pointed in the article a few thousand CVEs in the 1990’s to the malignant obesity of 2023. You might have focused the article on quantifying the unplanned and un-resourced/under-resourced patch management burden foisted on commercial and government customers. We need to flip the script because we both know the big software vendors are profiting by offering vulnerable code and then vertically integrating their product line into selling security tools to”help” remediate their bad code. Hence, get on the band wagon of section 3 of the recently released National Cybersecurity Strategy.
2. You under-stated the aspect adversaries of weaponizing older vulnerabilities. That is just the iceberg above waterline the bigger issue is those unpatched older vulnerabilities that have been weaponized but retained for the future and those zero day exploits that are way below waterline. The law of diminishing interest in older vulnerabilities makes the attack surface even bigger.
Happy to chat.
Respectfully
Scott