https://community.isc2.org/t5/Tech-Talk/Securing-The-Supply-Chain-of-Nothing/m-p/53458#M3634 <P>Kind of like Freakanomics meets InfoSec?</P><P>&nbsp;</P><P>The only point I found a little controversial was #1, slowing down development hurts security. But Kelly Shortridge sells me on their logic. Maybe I would counter that there is an "optimum" pace for development or that the schedule should follow the development calendar, not the marketing/product one. But there is Freakanomic logic to the idea that you sooner you release, the sooner you can fix.</P><P>&nbsp;</P><P>My own experience, having come into security from the development side, is that software development models rarely match software development practices. Now, I imagine there are some places that adhere to a very thorough process, but my sense is they are more the exception, and increasingly so given the embrace of Agile. Then again, I may have just been a really bad developer.</P> Fri, 16 Sep 2022 15:01:16 GMT JoePete 2022-09-16T15:01:16Z https://community.isc2.org/t5/Tech-Talk/Securing-The-Supply-Chain-of-Nothing/m-p/53430#M3631 <P>While it is positioned as a rebuttal of the recent guidance published by CISA, NSA, and ODNI, I think this essay is brilliant and provides serious observations that should be considered in the context of any appsec effort.</P><P>&nbsp;</P><P>Should be worth 5 CPEs but it probably isn't because apparently professionals are better off watching product webinars.</P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://swagitda.com/blog/posts/securing-the-supply-chain-of-nothing/" target="_blank">https://swagitda.com/blog/posts/securing-the-supply-chain-of-nothing/</A></P><P>&nbsp;</P> Thu, 15 Sep 2022 22:10:06 GMT https://community.isc2.org/t5/Tech-Talk/Securing-The-Supply-Chain-of-Nothing/m-p/53430#M3631 wimremes 2022-09-15T22:10:06Z https://community.isc2.org/t5/Tech-Talk/Securing-The-Supply-Chain-of-Nothing/m-p/53458#M3634 <P>Kind of like Freakanomics meets InfoSec?</P><P>&nbsp;</P><P>The only point I found a little controversial was #1, slowing down development hurts security. But Kelly Shortridge sells me on their logic. Maybe I would counter that there is an "optimum" pace for development or that the schedule should follow the development calendar, not the marketing/product one. But there is Freakanomic logic to the idea that you sooner you release, the sooner you can fix.</P><P>&nbsp;</P><P>My own experience, having come into security from the development side, is that software development models rarely match software development practices. Now, I imagine there are some places that adhere to a very thorough process, but my sense is they are more the exception, and increasingly so given the embrace of Agile. Then again, I may have just been a really bad developer.</P> Fri, 16 Sep 2022 15:01:16 GMT https://community.isc2.org/t5/Tech-Talk/Securing-The-Supply-Chain-of-Nothing/m-p/53458#M3634 JoePete 2022-09-16T15:01:16Z