Friday, April 4, 2025 — Meeting Recap

Shawn's Recovery Update and Team Discussion

Shawn opens the meeting, greeting attendees and providing an update on his recovery from surgery. He mentions feeling better and plans to return fully next week after attending a President's Club event in Mexico. The group is smaller than usual, with only 22 participants. Neil briefly mentions working on something related to a "dark blockchain" but doesn't provide details. Dave notes that Shawn's audio sounds distant, which Shawn attributes to his cat moving the microphone. Kaye joins and expresses happiness at seeing Shawn, who elaborates that his recovery has been more challenging than expected but he's over the worst of it.

Oracle Security Breach Concerns Discussed

In the meeting, the team discussed the recent Oracle security breach. They expressed concerns about Oracle's handling of the situation, particularly their initial denial of the breach. The team agreed that Oracle's response was poorly managed and could damage their reputation. They also discussed the potential impact of the breach on Oracle's customers, particularly those using Oracle Cloud. The team noted that Oracle's market share is significant, and the breach could have serious consequences for their business. They also discussed the importance of having a well-prepared incident response plan in place to handle such situations effectively.

New Members Introduce Themselves

Shawn led the meeting, encouraging new participants to introduce themselves and share their interests. Dave offered to help new presenters create their decks and practice their presentations. Tomislav, a new member, shared his background and expressed interest in security topics. The group also discussed the possibility of running a tabletop exercise as a topic.

Google Autopilot Limitations and GKE Maintenance

Neil discussed his experience with Google's autopilot feature for Kubernetes, noting that it was user-friendly but had limitations for larger organizations. Tomislav mentioned that Google Kubernetes Engine (GKE) standard does not perform node maintenance, which can lead to issues over time. Shawn suggested exploring garden.io, a tool set for CI pipelines, and emphasized the importance of asking questions, even if they seem trivial.

Improving Vulnerability Management Strategies

Neil discusses three approaches to improve vulnerability management beyond the current 10% patching rate. The first approach focuses on targeting the most critical vulnerabilities using asset context and risk data. The second approach, exemplified by EPSSG, aims to group and fix multiple vulnerabilities simultaneously for better efficiency. The third approach, represented by ChainGuard, involves starting with more secure base images to reduce the number of vulnerabilities introduced into systems. Shawn adds that prioritizing fixes with the highest payoff across multiple applications is another effective strategy. Jay emphasizes the importance of considering environmental factors like deployment frequency and attack paths when prioritizing vulnerabilities. Mischa notes the challenges of explaining complex vulnerability management approaches to auditors and the value of using hardened images to reduce overall vulnerability exposure.

NVD Vulnerability Data Challenges Discussed

The group discusses recent developments with the National Vulnerability Database (NVD). NVD announced they will no longer maintain vulnerabilities published before 2018 and the number of vulnerabilities awaiting analysis has increased significantly. This is causing stress in vulnerability management as many organizations rely on NVD data. The discussion touches on alternative approaches, including private companies filling the gap and the potential need for a new consortium to tackle vulnerability data. They also briefly discuss challenges with vulnerability scoring systems like CVSS and EPSS, as well as approaches to detecting anomalous behavior in SaaS applications.