Walter Haydock's Linkedin Analytics

“We have 43,928 high and critical vulnerabilities,” one of your team members says. “Where do we start?” asks your IT colleague. Your heart sinks as you realize that endless meetings, arguments, and spreadsheet exchanges will inevitably follow. Thinking back to the log4shell and other vulnerability crises, you are thankful that at least you don’t need to solve this set of problems under huge time pressure. Finally, in the back of your mind, you dread the fact that software bills of material (SBOM) are only going to make this type of problem worse. What you need to do, and badly, is prioritize. Vulnerability scanning tools generate a ton of noise. And they require expertise to interpret their output. Communicating with internal and external stakeholders can be even more challenging than understanding the results yourself, requiring precision and speed. Finally, although increasing transparency, SBOMs are bound to amplify both challenges. To protect your company without shutting down your business operations, you need a strategy: 1. Focus on business risk. Most tools report scores via the Common Vulnerability Scoring System. While it is the industry standard, unfortunately, it is a broken one. ~90% of issues detected by these tools are not exploitable in a given application. You need to talk to business stakeholders in terms of dollars of risk to allow them to make the right decisions and tradeoffs. 2. Communicate with your vendors in a structured manner. Going down spreadsheets line-by-line to discuss vulnerabilities and their resolution plan does not scale and wastes your team’s time. During emergencies, it’s even more important to communicate crisply and quickly. The Vulnerability Exploitability eXchange (VEX) format allows for this. 3. Analyze and manage SBOMs in a consistent way. Understanding the makeup of your and your vendor’s software stack can be a huge advantage when reacting to vulnerabilities or developing your risk picture. But storing SBOMs on Google Drive or Sharepoint just won’t cut it. Ensure you have a process in place for tracking and tracing these critical representations of your software supply chain. Responding to security fire drills like this time and again at both publicy-traded and venture-backed software companies, I learned just how to tackle these problems and get you focused back on your business. And I am building StackAware to do just that! If you are interested in a pilot deployment or services engagement, reach out today at stackaware.com.