Sitemap - 2022 - Deploy Securely

The Chinese Government was probably responsible for the 2022 LastPass hack

Is cyber risk uninsurable?

Why your company might NOT need a SOC 2 report

ChatGPT's implications for cybersecurity

Security questionnaires as a hazing ritual

Confronting the weaknesses of the NVD and CVE system

Vulnerability notification and disclosure

How should federal agencies prioritize vulnerabilities?

Revealing the government's approach to vulnerability management

Manage Google Drive security in 60 seconds

Why you probably should use the EPSS

Defending Upstream

Reviewing Palantir's vulnerability management program

Not if, but when...

What is a software supply chain attack?

Confronting the government's latest secure software development guidance

NIST SP 800-53 (rev. 5, of course)

But is it exploitable?

A review of NIST SP 800-37

Deploying securely, the government way

The case for a SaaS bill of materials

No- and low-code security

The NIST Cybersecurity Framework

The four horsemen of risk management

Security Release Criteria

The Cyber Safety Review Board of the log4shell incident

Vulnerability management in contracts

Managing your risk surface

Coordinated Vulnerability Disclosure (CVD) Programs

How to communicate about CVE exploitability without having to fix all "highs and criticals."

Security maintenance planning

The Deploy Securely risk assessment model - version 1.0.1

Shared security models

The Deploy Securely risk assessment model - version 0.3

Exploit Prediction Scoring System (EPSS): a deep dive

Technical due diligence for identifying cybersecurity risk in external parties

External audits: a better solution for 3rd (and greater) party risk management?

Security questionnaires: worth the trouble?

The federal government (at least part of it) confirms that it does not understand cyber risk management

Manage unknown cyber risk from 3rd (and greater) party software and systems

The federal government doesn't sound like it understands cyber risk management

Application security tools and vendors