Conversation

Notices

1. Embed this notice
   Josh Bressers (joshbressers@infosec.exchange)'s status on Monday, 02-Dec-2024 23:18:14 JST Josh Bressers

   I have a thought brewing in my brain, but I'm not sure if it makes sense

   Dealing with security flaws in dependencies often falls to #appsec teams, but should it? It's a different skill I think, closer to an #OSPO role than a security role

   • Embed this notice
     kurtseifried (he/him) (kurtseifried@infosec.exchange)'s status on Monday, 02-Dec-2024 23:22:47 JST kurtseifried (he/him)

     in reply to

     @joshbressers I think part of the reason it falls on the #appsec team is that they’re the ones that can ultimately fix it. If I’m not responsible for the app, but I’m held accountable its dependencies, well I’m being set up for failure.

   • Embed this notice
     Jean-Baptiste Maillet (jbm@infosec.exchange)'s status on Monday, 02-Dec-2024 23:25:40 JST Jean-Baptiste Maillet

     in reply to

     @joshbressers excellent topic, rarely discussed! In this area there is a point of junction between OSS licenses compliance and cyber: the SBOM and source code distribution is a recipe starting point for attack (at least in my embedded ecosystem, e.g. a kernel).

   • Embed this notice
     Max Mehl (mxmehl@mastodon.social)'s status on Tuesday, 03-Dec-2024 05:10:01 JST Max Mehl

     in reply to

     @joshbressers Both. Which is why I've been advocating for more overlap and collaboration between both groups for years. At Deutsche Bahn, we are impending this via a cross-functional "topic team software supply chain security".

     Same applies for other Open-Source-related topics that require a broader skillset and benefit from diverse expertise, e.g. legal issues (licenses, patents) or business/financial questions (strategic funding, partnerships), just with other teams in those cases.