Zenius Corporation’s Post

Not normally a "White House Cyber Security Directive" reader but found this this particular quote to be SPOT ON: "For far too long, primary responsibility for the cybersecurity of an organization has rested with the Chief Information Security Officer (CISO) of the company using software. They cannot be the only stakeholder accountable for cybersecurity outcomes; it is also critical, for example, that the Chief Information Officer (CIO) who is buying software, and the Chief Technology Officer (CTO) of manufacturers building software share this responsibility. A cybersecurity quality metric could improve collaborative decision-making across all parties." From: https://lnkd.in/ekWJvsxQ

🔐 National Cybersecurity Strategy: A Call to Action for the IT Community This new report by the US Government outlines a revamped National Cybersecurity Strategy with two key changes: 1️⃣ Shared Responsibility: Cybersecurity defense is no longer a solo act! 💪 2️⃣ Investing for the Future: Incentivize long-term security solutions! 📈 The report highlights the tech community as a critical partner in achieving these goals, specially by means of: Safer Code, addressing memory safety vulnerabilities through better software & hardware, specially by chosing a proper Programming Language. Measurable Security, developing accurate cybersecurity quality metrics to finally tackle software measurability What are your thoughts on this new strategy? Let's discuss in the comments! https://lnkd.in/e6w7HUvB 👇 #cybersecurity #nationalstrategy

What do the Morris worm (1988), the Slammer worm (2023), the Heartbleed vulnerability (2014), the Triden exploit (2016) and the Blastpass exploit (2023) have all in common? Those headline-grabbing cyberattacks have all a common cause: memory safety vulnerabilities. In a report published yesterday by the White House Office of the National Cyber Directory (ONCD) where it calls the technology manufacturers to adopt memory safe programming languages to avoid entire classes of vulnerabilities. It also pledges the community to come up with better visibility into software security by implementing cybersecurity quality metrics, using the open source ecosystem as a backdrop thanks to its ubiquity in hardware and software, its accessibility and transparent nature. Read the full report: https://lnkd.in/dZ67s-Aa What metrics would you implement to evaluate the cybersecurity quality of the software you are building, besides the number of vulnerabilities found in software analysis? #oncd #measurementandanalytics #productsecurity #cybersecurity Shai Horovitz Aviram Shmueli Daniel Koch Orit Golowinski Michal Lipschitz Ilanit Nitzan Rob DiNuzzo Charlie Klein Moshiko Lev Shuki Levy Ariel Beck Judah Weiss Gil Zimmermann Tsahy Shapsa Ron Zalkind Jim Manico Avi Douglen Josh Grossman Steve Springett Jimmy Mesta Chris H. Walter Haydock

There's been a lot of talk lately about cybersecurity in the news, as there should! The White House even published a report about cybersecurity and trying to evaluate new best practices (https://lnkd.in/eVb3m2Qd). I say if you at all care about your application or feature security, the first step is to do some form of threat modeling. Without understanding where you're open for attack, internally & externally, you can't get a grasp of what to fix. OWASP has a good article on how to do this process! https://lnkd.in/er5PGGrY The next step would be to look at the CVEs opened against the open-source technology in your ecosystem. Understanding the target areas first helps you understand the actual level of risk a given CVE is in your ecosystem. Some ecosystems, regardless of the actual risk to the ecosystem, require CVEs to be resolved (like banks and healthcare companies). This is also likely part of due diligence. https://lnkd.in/egPq7mkp If there are CVEs you can't get to, because of a lack of expertise or fighting business priorities, give HeroDevs a call. We have a growing portfolio of technology we're supporting and if there's something we don't yet support, ask us about it! It may be on the roadmap. https://www.herodevs.com

So, the White House has published a something dealing with memory safe software (https://lnkd.in/eF995m7v). While credit is due for the effort, the report is less of a strategy and more a cheerleading exercise. The report is correct in pointing out that this is one of the most critical challenges to solving the cybersecurity crises. However, while I hoped to read a requirement for NIST to publish a software memory safe standard (that the U.S. Government would use for software acquisition) all I got was a rallying cry for industry to do better. Big letdown.

I couldn't agree more with Robert Bigman, this was obviously authored by people that have never built enterprise software before. There are so many issues that have to be addressed when building scalable software, and while memory safe languages are great, its like going to home builder and saying locks aren't effective at keeping out burglars. While true, when building software you have to focus on performance, scalability, maintainability, and platform integration while keeping security as a priority. You can absolutely build secure applications without memory safe languages, but it takes design and intent. This just seems like more of the government trying to tell everyone that the problem has nothing to do with the fact that they let the attackers continue to attack without real consequences, which in turn is growing the number of attackers and the frequency of attacks. Ransomware is not a technology problem, its a law enforcement problem... these attackers (while many have gov support and protection) are operating as individual crime groups, not nation state espionage, and when it comes to stopping criminal action we as taxpayers rely on the police to protect and deter the behavior. I'm so tired of the government telling all of us that its our fault... prosecuting victims, instead of the attackers and making it seem like the whole industry isn't trying hard enough, and if we just listened to their sophomoric advice everything would be better. I'm holding my breath for the report from the White House that says removing the doors from your house will prevent burglars from breaking in.

A new Office of the National Cyber Director, The White House (ONCD) report--BACK TO THE BUILDING BLOCKS: A PATH TOWARD SECURE AND MEASURABLE SOFTWARE--builds on President Biden's National Cybersecurity Strategy. The ONCD report outlines an important paradigm shift advocating shared responsibility and collaboration between the CISO of the company using the software, the CIO buying the software, and the CTO of manufacturers building the software. "Reframing the discussion on cybersecurity from a reactive to a proactive approach enables a shift in focus from the front-line defenders to the wide range of individuals that have an important part to play in securing the digital ecosystem. For far too long, primary responsibility for the cybersecurity of an organization has rested with the Chief Information Security Officer (CISO) of the company using software. They cannot be the only stakeholder accountable for cybersecurity outcomes; it is also critical, for example, that the Chief Information Officer (CIO) who is buying software, and the Chief Technology Officer (CTO) of manufacturers building software share this responsibility. A cybersecurity quality metric could improve collaborative decision-making across all parties." #cybersecurity #criticalinfrastructureprotection #publicsectorforecast

Small firms don't have the capacity to effectively manage cybersecurity. Here, the US approach makes sense. Also, in a few years, getting rid of memory safety vulnerabilities will become easier using AI / NoCode dev paradigm (with mem-safe underlying language)

Cybersecurity experts recommend the adoption of memory-safe programming languages to drastically reduce the risks of exploitable vulnerabilities. This fact sheet outlines the flaws of traditional languages like C and C++, which are prone to security gaps. By transitioning to safer alternatives, we can significantly enhance the protection of critical infrastructure. Explore the full report https://lnkd.in/d3tq7VSi for a comprehensive analysis of this vital strategy.

White House : future software should be memory safe. "In line with two major themes of the President’s National Cybersecurity Strategy released nearly one year ago, the report released today takes an important step toward shifting the responsibility of cybersecurity away from individuals and small businesses and onto large organizations like technology companies and the Federal Government that are more capable of managing the ever-evolving threat." will we eventualy kill C (or the bad C programmers?) https://lnkd.in/dAAgEfrT