Security

Why supply chain security is so much more than open source code and CVE’s

This article describes why supply chain security is about all of the upstream and downstream dependencies that modern applications rely on and not just open source libraries.

By Mark Curphey

Jan 10, 2023

CVE / NVD doesn’t work for open source and supply chain security

Part two of my article about what is wrong with CVE/NVD and some ideas about how we could improve it.

By Mark Curphey

Dec 21, 2022

CVE / NVD doesn’t work for open source and supply chain security

Crash Override

By Mark Curphey

Nov 30, 2022

A Security Tools Crash Is Coming

An explosion of security startups and the economic climate are colliding and going to result in a train wreck. This post dives deeper in this that a recent short post in LinkedIn.

By Mark Curphey

Nov 21, 2022

What I Learned About Information Security From Academia

In this post I share lessons from my degree in info lessons earned in the real world after I left, told with some colourful real anecdotes

By Mark Curphey

Oct 11, 2022

Why SCA for Security is Really Hard

This post focuses on using SBOMs and vulnerability data and explains why most vulnerability data is not up to the job.

By Mark Curphey

Oct 10, 2022

The CSO Interviews - the biggest unsolved problems in security today

We asked over 50 leading CSOs and appsec leaders what their biggest unsolved problems were and then sat back and listened. This is what we heard.

By Mark Curphey

Sep 28, 2022

Subscribe to our newsletter

Practical insights, sharp takes, and tactical guidance for engineering and security leaders.

Resources
Glossary
FAQ