Blog

Of course, every organization has a security culture. If they say they don’t, they are either lying or afraid to admit they have a bad security culture. The good news is that any security culture can positively change how the organization approaches security. But culture change takes time, so don’t expect your members of your organization to overnight become pen-testing Ninjas that write secure code while they sleep. With the right process and attitude, you’ll get there.

I've been working on Security belt programs for 10+ years. I've had the privilege to help build the Cisco Security Ninja program. I'm also continuing to develop our security belt platform at Security Journey. I've created over 500 pieces of learning content. I've created material and the assessment questions that go with it.

Unlike wine and cheese, software does not get better with age—in fact, its security strength decreases over time. This is because of software obsolescence.The problem is more significant than any other software security issue because it includes all the other liabilities. Take the OWASP Top 10 as an example. The list contains the most prevalent application security risks, and one (A9) is "using components with known vulnerabilities."And those components can introduce every other risk on the OWASP Top 10, including injection (A1), broken authentication (A2), and sensitive data exposure (A3).

On this episode, Chris and Robert interviewed Steve Springett about the world of the secure supply chain.In part one of the series, we covered software supply chain risk, the depths of the software composition analysis market, and the current state of commercial and open-source SCA. Read part one first to set the stage on SCA and software supply chain risk.

Here are five things that have impacted me in my career, and helped me to grow both as a security person and a human being.

On the Internet, detection and reporting of vulnerabilities in software is a daily occurrence. Where do those vulnerabilities originate? Are they introduced into code by artificial intelligence or some advanced machine-learning algorithm? Nope.Human developers create them—mostly not on purpose, but by accident.