Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
wimremes
Contributor III
‎09-15-2022 06:10 PM
‎09-15-2022 06:10 PM

Securing The Supply Chain of Nothing

While it is positioned as a rebuttal of the recent guidance published by CISA, NSA, and ODNI, I think this essay is brilliant and provides serious observations that should be considered in the context of any appsec effort.

 

Should be worth 5 CPEs but it probably isn't because apparently professionals are better off watching product webinars.

 

 

https://swagitda.com/blog/posts/securing-the-supply-chain-of-nothing/

 


Sic semper tyrannis.
Reply
1 Reply
JoePete
Advocate I
‎09-16-2022 11:01 AM
‎09-16-2022 11:01 AM

Kind of like Freakanomics meets InfoSec?

 

The only point I found a little controversial was #1, slowing down development hurts security. But Kelly Shortridge sells me on their logic. Maybe I would counter that there is an "optimum" pace for development or that the schedule should follow the development calendar, not the marketing/product one. But there is Freakanomic logic to the idea that you sooner you release, the sooner you can fix.

 

My own experience, having come into security from the development side, is that software development models rarely match software development practices. Now, I imagine there are some places that adhere to a very thorough process, but my sense is they are more the exception, and increasingly so given the embrace of Agile. Then again, I may have just been a really bad developer.

Reply