An Analysis of Generative AI: How to Be Confidently Wrong

The recent release of the National Cybersecurity Strategy document by the White House prompted me to test Microsoft's new Bing chat feature, which is powered by OpenAI's language model, ChatGPT. This model responds to user prompts and learns from previous interactions to provide relevant answers. My experiment aimed to test how well it could summarize the document and provide insights into its contents.

Read More

S4x23 SBOM Challenge — Part 3: VEX Document Ingestion

Three weeks ago I reported on the first part of the S4x23 SBOM Challenge run by Idaho National Laboratory (INL), which focused on SBOM Creation. Last week I reported on the second part: SBOM Ingestion. Today’s blog post reports on the final goal of the S4x23 SBOM Challenge, where the participants were provided with INL-generated VEX documents for each target and asked to ingest them.

Read More

S4x23 SBOM Challenge — Part 2: SBOM Ingestion

Two weeks ago I reported on the first part of the SBOM Challenge at the S4x23 cybersecurity conference in Miami, Florida. The Day 1 goal was for each team to create an accurate SBOM for three target artifacts and then identify known vulnerabilities in the components in each SBOM. Today’s blog reports on Day 2 of the S4x23 SBOM Challenge, where Idaho National Laboratory (INL) provided INL-generated SBOMs for each artifact for the participants to...

Read More

Three Quick Takeaways from Biden’s National Cybersecurity Strategy

 

NOTE: We were going to publish our second blog of the S4x23 SBOM Challenge today. However, the new National Cybersecurity Strategy was released this morning, and we thought that dissecting it for our readers took priority. We’ll go back to the S4x23 SBOM Challenge discussion next week.

There is a lot to unpack and there is even more to read between lines in the Biden Administration's new National Cybersecurity Strategy. Let me lay out the three...

Read More

S4x23 SBOM Challenge — Part 1

The aDolus Team has just returned from participating in the SBOM Challenge at the S4x23 cybersecurity conference in Miami, Florida. This blog is the first of a series reporting on what we did during the challenge and what we learned from the process.

Read More

A Flurry of Regulatory Action and the Need for SBOMs

 

Executive Order 14028 on Improving the Nation's Cybersecurity was issued in May of 2021 and provided a roadmap for a series of regulatory initiatives that government agencies (and anyone doing business with them) should prepare for. Recently we’ve seen the rollout of two important mandates:

  • OMB Memorandum M-22-18 dated Sept. 14, 2022 establishes requirements for “Enhancing the Security of the Software Supply Chain through Secure Software...
Read More

A Deeper Dive into VEX Documents

 

At the end of last summer, I wrote a blog post explaining the merits of Vulnerability Exploitability eXchange (VEX) documents. Almost 8 months later, I stand by the importance of these documents when it comes to efficient management of vulnerabilities. With our CTO, Eric Byres presenting on this very topic at S4x22, it seems like a good time to come back to VEX documents and dig into what they actually look like.

Read More

How Russia Might Come After the West

 

The DDoS attack surge that began last week against Ukrainian government agencies and banks was a bad sign. I was actually preparing a post and wondering if it was appropriate to call out Russia as, at that point, there was no formal attribution. 

But c’mon. 

Read More

Log4j: Panic or Lesson? | How to Protect Deployed Assets

 

Cleaning up the Mess will Take a Methodical Approach

Nearly every week the cybersecurity community buzzes around a newly discovered vulnerability or a breach. December’s alert for the CVE-2021-4428  vulnerability in Apache Foundation’s Log4j software is no different. Also known as the Log4Shell vulnerability, it is present within the log4j-core library commonly used for logging in Java applications. These applications are widely deployed in a huge...

Read More

Sorry Blackberry: You Are Part of the Supply Chain

Today, reporters Betsy Woodruff Swan and Eric Geller at Politico published a story: “BlackBerry resisted announcing major flaw in software powering cars, hospital equipment.”  They outline how BlackBerry willfully hid the fact that their key operating system QNX contained a collection of vulnerabilities (originally discovered and named BadAlloc by Microsoft). It seems other companies affected by BadAlloc announced the issue way back in May. Not so...

Read More
Content not found