Do you think the increased prominence of ransomware will force organizations to put more resources into risk quantification?

If you look at the software bill of materials (SBOM) and the executive order, it's back to fundamentals: Let's start looking at our weaknesses and what we're building and what we're shipping. I'm glad we'll get back to the basics on looking at risk on every piece of code we write going forward. At least, I hope that's the intent. I had my team run this analysis on about 208,000 known common weakness enumerations (CWEs) I released. I asked them to make a density chart on the weaknesses released by every vendor—Microsoft, Adobe, everybody. These are the common things we’re taught in school not to do, and they were all over the map. You can compare vendor to vendor and say, "What is going on here?" We've been talking about OWASP top ten for a long time, and predominantly the known CWEs had OWASP top ten all over, so what happened to their software testing life cycle (STLC)? It's time to go back to the basics and have those conversations.

Anonymous Author
If you look at the software bill of materials (SBOM) and the executive order, it's back to fundamentals: Let's start looking at our weaknesses and what we're building and what we're shipping. I'm glad we'll get back to the basics on looking at risk on every piece of code we write going forward. At least, I hope that's the intent. I had my team run this analysis on about 208,000 known common weakness enumerations (CWEs) I released. I asked them to make a density chart on the weaknesses released by every vendor—Microsoft, Adobe, everybody. These are the common things we’re taught in school not to do, and they were all over the map. You can compare vendor to vendor and say, "What is going on here?" We've been talking about OWASP top ten for a long time, and predominantly the known CWEs had OWASP top ten all over, so what happened to their software testing life cycle (STLC)? It's time to go back to the basics and have those conversations.
0 upvotes