Profile picture
Jessy Irwin ✨ @jessysaurusrex
, 25 tweets, 4 min read Read on Twitter
Incoming: tiny or possibly not-so-tiny security rant about vuln + dependency management
Alright, so, real talk: many of us who are trying to live our best security lives run on a handful of pretty serious mantras-- that Bruce Schneider quote about security being a process and not a product is one of the big ones.
The backbone of many early iterations of security process is usually some form of a spreadsheet. It's essential to take stock of what your software is made out of, and you have to take stock of what software you're using to make software + run a business.
(Side note: I've worked in a library and a museum before. And I f*cking love these spreadsheets so much. Don't @ me)
I've worked on many, many of these process backbone spreadsheets, but there are a few that have really gotten under my skin lately: vulnerability management, and dependency management.

They're kind of a big deal, but a quick scan of two important columns = instant rage.
One of the most important columns in the vuln/dependency management spreadsheet is the one for security advisories-- it's partner in importance is the column for security pages attached to products/packages/software.

Real talk: these are the most infuriating columns ever.
Every time I open one of these spreadsheets cataloging software and software parts, the Security column pair is such a freaking disappointment. For way too many things in use in technology, "None" and "None" fill the sec advisory + sec page columns.

THIS IS NOT OKAY
Vuln management and dependency management are extra super intertwined with a process that infosec folks love to argue about ad nauseam: patch management. Some of us are on the "patching is hard and not always feasible" side, others argue "what kind of idiot doesn't patch?"
Back to my spreadsheet though, because for real, there is a big old mess going on here...
When I scan through software parts and see that there's no security advisory page, no security page, and that instead a well-meaning security person has to bookmark changelogs, sign up for mailing lists, and learn to read smoke signals to get security updates, I am mad as hell 🔥
Yes, security bugs won't come marching in through the front door in a perfectly orderly fashion... but we should be able to come up with a functional, timely way for security alerts to come to us.

If we can't get alerts, how the hell can any of us patch?!
Nothing screams "dysfunctional relationship" and "awful communication" to me more than the widespread lack of /security pages across every kind of software part imaginable-- free-range, open source code and enterprise fanciness alike.
Yes, services and tooling exist to backport patches to common/popular distros of software. But not every organization can afford that (security poverty lines are real) and many developers aren't interested-- they want to use the newest + coolest features, tech, and code
This is an incredibly difficult problem to solve, and it is one that many fancy organizations spend quite a bit of money trying to solve or improve. But what about the rest of us? Shouldn't/couldn't we have more than a million mailing lists and groups to join for info?
It would be so cool if there were a reliable way to disseminate security updates and patch info in a timely manner to *everyone* without needing to sign up for a million groups and lists.

We're not going to increase time-to-patch metrics without it. So maybe let's get to work?
Honestly, at this rate, most of us would spend like 5 years and way too much money on vendors + resources to try and figure out how to automate security alert delivery across this crazy patchwork of information distribution. And we'd fail. Ain't nobody got time for that!
So yes, I am all "omg how can we make patching/dep + vuln mgmt work better, this is way too much crazy to expect everyone to do?!" ... but for real:

What tiny improvements can we start with that have a big impact? How do we get software folks flying in formation in fix mode?
The way we distribute security advisories and patch update information is fragmented af and it seems to be setting almost any well-meaning security team/person up for total failure. How do we improve the process for everyone, and not just people with budget for vendor tools?
Every dang time I see a "NO" in the security advisories/security page/ RSS feed column, it feels like the universe is all 👿 and honestly... how the hell do any of us have any hope in empowering developers + building safe and secure things with this as the status quo?

/rant
Yes, hello, someone is arguing at me and now I have more things to say.
Fixing broken security advisories/updates isn't a silver bullet. Coding is very much creation and speech, and to move the needle in the right direction, we need to look at current obstacles + think critically about how to foster core security values among devs across the planet
It would be so cool if we could come up with a handful of clear, direct, concise ways to deliver information that doesn't require quilting a nearly-impossible set of patch info updates into a process. There are good reasons for this.
So many people in this world learning to develop and learning to write code are not from the US, will never approach creating software through our policy, and may not even have a full formal education. How do we make this better to give them some hope of success?
"You never went to a top tier school to learn how to write secure code so you can't write code" isn't an answer here, not when so few top tier schools even appropriately teach secure development + dep/vuln management correctly to begin with.
So many words have been spilled about things being secure-by-default, but maybe that term should expand to include getting security advisories without an Odyssey-like journey for info. And it should work for people who build stuff outside of the US, too.

/fin
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jessy Irwin ✨
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @jessysaurusrex see all

Profile picture
I'm incredibly disappointed by the amount of toxic bullshit in my mentions over 2-factor authentication. This is RIDICULOUS.
Every time I give a talk, I mention how security people contradicting one another hurts end users b/c they don't know who or what to believe
Every single f*cking time I mention giving a training or educating someone on protecting themselves, toxic security bullshit comes at me.
Read 12 tweets
Profile picture
Today, my old lady gang pinged to ask if I'd listen to them practice a security presentation they've made for a senior ladies group #proudaf
I absolutely can't say it enough: I've learned so much from working w/ a group that's 70+ yrs old. We cannot afford to leave them behind
Most security tools require humans to be in tip top shape, and don't leave room for short term memory issues, arthritis, etc
Read 32 tweets

Related threads

Profile picture
Real talk.

The right as spent years trying to paint @NancyPelosi & @HillaryClinton as extreme leftists who will take your guns, sterilize your sons, outlaw Christianity, and tax you at 80%.

Meanwhile...

The far left has tried to insist that they were both Republican-lite.

1/
Some on the far left call them war mongering neoliberal corporate owned whores.

That's on a good day, for both.

None of these charges, by either side, are remotely true of course. Not that this matters to the people putting this shit out there.

2/
The facts are these.

@HillaryClinton and @NancyPelosi have been fighting people, usually white men, for tnings their entire lives.

With little respite.

At times they have had to make impossible choices and compromises just to beo let in the door. Most women have.

3/
Read 11 tweets
Profile picture
yoonjin time travel au

On his 55th birthday, Kim Seokjin, also known in his neighborhood as “insufferable old Kim”, makes a wish to feel genuine happiness. The next day he wakes up 22 years old again and on the day he first meets his ex-boyfriend, Min Yoongi.

#YJweek18 #day1
to anyone who might read, qt only & don't reply so thread doesn't break cuz this is a looong au and my first uwu
there is some swearing just a heads up and this is angst w a happy ending so im sorry in advance
also this is lowkey inspired by Miss Granny (ph ver). haven’t watched the film but there’s a song on the OST that just FITS and i cry

here's the song:
Read 721 tweets
Profile picture
This is the best thing on Twitter this morning. I see too many security products trying to *replace* human-to-human interaction - there’s a good chunk of security and privacy that’s about *people*.

Let’s make more products which help people STOP, collaborate, and listen 😝
Forgetting about the “people” part of security is why we’ve heard “GRC is dead” for the last 10 years. We’re on “GRC 4.0” now and it *still* sucks.

GRC tools like Archer are designed for Process and Technology but forget about the poor People who have to use that dumpster fire.
We still have new vendors trying to design single-pane-of-glass “CISO dashboards”, meanwhile *very* few security companies are truly focused on people (not just security people) inside of organizations.

@duosec is one of the few companies who has focused on people. @habitu8 too
Read 10 tweets
Profile picture
#LIVE ⚡️WATCH NOW 🚨#BreakingNews @POTUS @RealDonaldTrump Meets newly released Prisoners Arriving from North Korea H/T @GST_Politics #MAGA #KAG 🇺🇸
.@POTUS & @FLOTUS have just arrived at Andrews Air Force Base and have disembarked Marine One our US Presidential helicopter. @VP @SecondLady arrived shortly before them. #LIVE ⚡️WATCH NOW 🚨H/T @GST_Politics #MAGA #KAG 🇺🇸
#BreakingNews ⚡️The three American detainees have landed. Kim Dong Chul, Kim Hak Song & Tony Kim. @realDonaldTrump is going to be greeting them along with @FLOTUS @VP & @SecondLady and accompanying entourage. Plane doors have now opened. H/T @GST_Politics #MAGA #KAG #NorthKorea
Read 17 tweets
Profile picture
now, i want to offer a part two to my ranty bit.

this one touches more on things that hit me and my community.
there are a lot of things terfs use to try and manipulate the dialogue currently.

things like

afab transwoman
tim (trans-identified male)
terf is a slur
appeals to science, then...
science denial
first off, trans is an adjective.

and they know that.

they say transwoman to separate us,because they don't see us as women.

same with tim. it's a separatist word to try and convince people that trans women are fake, liars, rapists, monsters.
Read 14 tweets
Profile picture
#LIVE NOW: @NAVSURFOR VADM Tom Rowden speaks at #SNA2018
VADM Rowden: We are the preeminent Navy on the face of the Earth. We are the preeminent Surface Navy on the face of the Earth. That is not given, that is earned.
VADM Rowden: #SurForStrategy describes the return to #SeaControl, which is the timeless & universal purpose of the @USNavy. It also highlights the implementation of #DistributedLethality as an operational & organizational principle for achieving & sustaining sea control. #SNA2018
Read 24 tweets

Trending hashtags

#witnessrelocation #VicePresidentCletus #PhilHartman #WallaceandGrommit #fgo #USSFitzgerald #LostHighway #FateGrandOrder #GaySteelMIll #FLYJOHNNYFLY #MAGAFamily #SNPP #GameOfThrones #document #SimpsonsFamilyPortrait #developer #AnnualGiftMan #Rigel7 #GilbertandSullivan #SeeminglyNeverendingStory #HarryPotterLiveTweet #Kodos #BartSimpson #SinCity #Karma

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!