— AI, Job Replacement, and Office Hours Discussion
Quick recap. The team discussed the potential of AI to enhance work capabilities and the risks associated with it, including the potential for AI to replace certain jobs. They also discussed a recent vulnerability and the development of a new vulnerability management model, SSB, which uses machine learning to assess the likelihood of exploitation. Lastly, they discussed the shift in security as companies move into cloud security, emphasizing the need for security teams to collaborate more closely.
Show 6 discussion topics
AI, Job Replacement, and Office Hours Discussion
Alex discussed the potential of AI to enhance work capabilities, but also warned about the risk of AI replacing certain jobs. Shawn and Neil shared their views on AI, with Shawn expressing optimism and Neil expressing concern about the cost and potential misuse of AI. Eric, a security architect, introduced himself and shared his experience with the office hours. The team also discussed the potential discontinuation of the Mastodon instance due to low activity and the need for a new project manager. Lastly, they discussed the potential for a new project manager.
Discussing Vulnerability Severity and CVSS Scoring
The team discussed a recent vulnerability, referred to as 9.9 RCE, which was initially perceived as a significant threat. However, they concluded that it was not as severe as initially thought, with many unlikely events required for it to be exploited. They also discussed the CVSS scoring system, which focuses on the worst possible scenario, and the concept of EPSS, which measures the likelihood of a vulnerability being exploited in the next 30 days. The team agreed that while the vulnerability was theoretically bad, it was unlikely to be exploited in practice.
Vulnerability Management Models and Industry Applications
Neil discussed the development and implementation of a new vulnerability management model, SSB, which uses machine learning to assess the likelihood of exploitation. He mentioned that this model has been adopted by vulnerability management teams and is being pushed by SISA for regulation and guidance. Neil also introduced the concept of SSBV, a decision tree model that takes into account factors such as exploitability, automatability, scope, and asset context to determine the appropriate action for a vulnerability. The model has been implemented by Cisco and is open-source. Jeff and David discussed the practical application of these models in their assessments, with Jeff expressing concerns about the potential for misinterpretation of vulnerability scores. Friday, who is studying for the security plus exam, expressed his interest in learning more about the industry application of these models.
CVSS Scores and Vulnerability Prioritization Discussion
Neil explained that the CVSS score is subjective, with different assessments from numbering authorities, vendors, and developers. Shawn noted it is one of many risk assessment scores. Jeff and Friday agreed that CVSS alone is insufficient for decision making without considering likelihood and impact. Neil highlighted research showing many exploited vulnerabilities have low CVSS scores, and that organizations typically only patch around 10% each month. He emphasized prioritizing the right vulnerabilities beyond just high CVSS scores.
Product Security and Cloud Security Discussion
The team discussed the concept of product security, with Kyle and Justin sharing their experiences in the field. They clarified that product security could involve hardware or software, depending on the product, and is not a specialized field but rather an application of their skills. They also touched on cloud security, with Freddy explaining its similarities to application security but now including cloud security. The team welcomed a new member, Nadeem, and shared their experiences with unpredictable weather. The conversation ended with Shawn welcoming everyone and asking if anyone else had a topic to discuss.
Adapting Security in Cloud-Native Environments
Neil discussed the shift in security as companies move into cloud security, emphasizing the need for security teams to collaborate more closely. He suggested that the renaming and recontextualization of terms like "product security" and "application security" are part of this response. Matt agreed, emphasizing the need to find ways to say yes to innovation while maintaining security. Freddy and Mischa added context, noting the evolution of roles in cloud-native environments and the importance of collaboration. James raised a question about boundaries in cloud security, which Shawn responded to by acknowledging the complexity of the issue and the need for efficient use of signals.