Welcome!

Welcome to another issue of the Resilient Cyber Newsletter, hard to believe we’re at 20 issues already - so let’s keep it rolling!

A lot of great topics this week around software product liability and the EU, the insane trajectory of Wiz, The White House dropping the first-ever National Security Memo on AI and challenges with the “shift left” movement as it starts to rust.

Interested in sponsoring an issue of Resilient Cyber?

This includes reaching over 7,000 subscribers, ranging from Developers, Engineers, Architects, CISO’s/Security Leaders and Business Executives

Reach out below!

-> Contact Us! <-

Cybersecurity Leadership & Market Dynamics

Product Liability Comes for Software - At least in the EU

The EU rolled out new product liability directives, having far reaching implications for digital products and software. This includes considering software legally a “product”, including AI systems as well and opening the door for direct liability for cyber vulnerabilities.

This represents one of if not the most robust and impactful software liability frameworks to hit the industry. It also follows a trend of the EU being much more rigorous and aggressive with regulatory forces than their U.S. counterparts, much like we saw with the EU AI Act for example.

The U.S. of course teased a similar software liability ambition in the latest version of the U.S. National Cybersecurity Strategy (NCS), however software liability if often referred to as the “third rail” in software within the U.S. and a highly contentious topic.

This also continues a heated debate about which approach is right, and the potential ramifications, which on one hand include software vendors finally taking cybersecurity seriously, and on the other, folks claiming these measures will stifle innovation, leave the EU behind and also lead to vendors deliberately avoiding the EU market with some of their products and services, or at least having a separate tier of products for this market.

Even the French President recently warned that “over-regulation will leave Europe behind the U.S. and China”.

How Wiz Became the Fastest Software Company to Hit $500M & it’s Path to $1B

Anyone who is involved in Cloud Security and Cyber more broadly has inevitably heard of Wiz. The cloud security titan has taken the industry by storm, establishing itself as the leader in cloud security with its Cloud Native Application Protection Platform (CNAPP), being the fastest company to ever hit $500M in revenue, turning down a $23Bn offer from Google and publicly discussing its IPO ambitions.

In this incredibly comprehensive piece from Francis Odum, he breaks down the three phases of Wiz’s history and future, the role of not just the product but timing, sales, GTM and an incredibly talented team. He covers their role in the market, comparison to other industry giants and its plans and path to achieving $1Bn in revenue.

On the topic of Wiz, Sequoia recently published a comprehensive piece discussing how the Wiz co-founders built upon a decades-long relationship to create their cloud-security platform and company and lead to its meteoric rise. There is also a great interview with Wiz’s CMO and VP of Product Strategy, Raaz Herzberg, where she goes into her background of starting with the company at its earliest stages, and how she thinks they will be bigger than Crowdstrike and Palo Alto - which are of course ambitious goals!

CISO’s Increasingly Coming to Terms with the Fact That Tools Alone Won’t Save Them

This piece from DarkReading points out that 3/4 of CISO’s surveyed admit they are drowning in alerts from an ever growing security stack but are struggling with basics like actually identifying breaches and incidents when they occur.

It mentions that global cyber spend is projected to reach $215 billion by the end of 2024 and despite this spend, almost half of CISO’s admitted to missing a breach with their existing tech stacks.

This VC Built A Cyber Unicorn Machine - Then Came a Conflict of Interest Mess

There’s been a lot of drama lately about the VC firm Cyberstarts and its founder Gili Raanan. The organization has backed several unicorn companies and has seen incredible success in its investments and portfolio companies, but it hasn’t been without scrutiny.

This piece from Forbes looks into some of that, particularly Cyberstarts’ advisor network and the role of “Sunrise”, which involved introductions for portfolio companies to potential consumers and organizations and how it involved executives and CISO’s and them often receiving compensation in the form of profits from Cyberstarts’ early-stage funds. Advisors in “Sunrise” had the chance to share in a pool of 4% of Cyberstarts’ earmarked profits, known as carried interest, if they helped the portfolio companies.

Since the news and scrutiny has broke, Cyberstarts did announce that they suspended the compensation aspect of the program but they did emphasize that it wasn’t going away. The scrutiny however came due to the fact that the Sunrise advisors often worked at large enterprise organizations with big security budgets and could potentially influence their own employer to use the Cyberstarts portfolio companies products, of which they would then personally financially benefit from.

The Forbes article points out how several previous Sunrise advisors have left the network, removed a mention of it on their LinkedIn and the Cyberstarts website has since removed 1/3 of the listed Advisors. The piece from Forbes includes several anonymized quotes from previous advisors or those familiar with the Sunrise program and the topic of COI’s and ethics.

AI

White House Issues First National Security Memorandum Focused on AI

The White House released a National Security AI Memorandum, looking to balance AI innovation as well as protections for privacy and civil liberties as it relates to AI and its use in National Security Systems (NSS).

In addition to discussions around funding and priorities to ensure the U.S.’s continued leading role in AI, the memo also introduced a “Framework for AI Governance and Risk Management for National Security”.

This framework lays out AI Use Restrictions, including listing prohibited AI Use Cases (e.g. profiling, tracking and targeting of individuals who are exercising rights under the constitution, as well as unlawfully suppressing the right to free speech). It also lists High-Impact Use cases, which have specific governance and risk requirements. It defines the minimum risk management practices for high[impact AI use cases and cataloging and monitoring AI use.

Anthropic Announces “Computer Use”

While a lot of the AI hype lately has been around LLM’s, and related use cases, Anthropic recently announced “Computer Use”, which uses Claude to allow developers and users to direct Claude to use computers the way users do. This involved moving the cursor, clicking on things, opening files and much more.

Computer use is still in the experimental stage but is available via their API. This announcement sent the Internet ablaze with talks of both its potential, as well as security and privacy risks if it is abused or compromised.

Computer use marks a big leap in the advancement of GenAI and LLM’s.

Scaling Security in the Enterprise with AI

Akshay Bhushan and Myke Lyons provide a discussion around on AI is revolutionizing enterprise cybersecurity, from alert triage to ongoing process monitoring and more.

This includes areas such as Vulnerability Management, SOC, AppSec and GRC, with vendors looking to integrate AI into their products and platforms and address longstanding manual cumbersome security activities.

In the SOC, products are looking to help with activities such as alert triage, information retrieval and processing and ongoing process monitoring. Vulnerability Management vendors are often ingesting codebases into AI and looking to use them to created automated documentation, conduct risk scoring and summarize views based on specific threat models with knowledge of the code and how it functions.

GRC is an area that has long ago been left behind by Cloud, DevOps and automation, often living in static documentation such as Word and PDF’s and manual assessments. Vendors are looking to use AI to automate functions, streamline auditing and reporting, automation policy development and monitoring and more.

In the AppSec space, potential for AI involves bringing the technology into DevOps pipelines and IDE’s, looking to automatically detect vulnerabilities and configurations and in the long term even potentially auto-remediate them, an elusive topic in the AppSec space. We’ve already seen massive experimentation and use of AI co-pilots to bolster Developer velocity and coding activities, now we are hoping to see the use case of AppSec co-pilots and tooling play out.

Google’s Secure AI Framework (SAIF) Risk Assessment

Last year Google rolled out their "Secure AI Framework" (SAIF). It laid out key principles and considerations for secure AI model development and deployment.

They now have announced the SAIF Risk Assessment tool, which makes SAID actionable, giving practitioners a tool to walk through those best practices and recommendations. It can be used to evaluate your security posture from the AI systems perspective, as well as apply best practices documented in SAIF.

As users go through entering their specific information it will help output key steps and guidance the organization should follow for Secure AI use.

NY State Department of Financial Services (NYDFS) Guidance on AI Security and Governance

Recently NYDFS rolled out a letter on AI and the cyber implications and provided recommendations for regulated companies. It includes how covered entities should address AI related risks in various areas such as their organizations use of AI, threats facing their third-parties from AI and key training for personnel.

AppSec, Vuln Management and Supply Chain Security

Scaling SBOM Operationalization

Software Bill of Materials (SBOM)’s continue to be one of the most commonly discussed tools when it comes to software supply chain security (and most hotly debated, but that’s another story).

The industry has progressed from “what’s an SBOM?” to “how do I go about scaling their use and making them operational?”. This graph from Helen Oakley covers some key considerations to scaling the use of SBOM’s.

Common Weaknesses and Enumerations (CWE)’s 101

While vulnerabilities and CVE’s get a lot of attention, CWE’s are a critical topic too, and are used to categorize software weaknesses into a standardized taxonomy.

This post from Yotam Perkal walks through some fundamentals of CWE’s including how they are organized, how they can and are used and the role they play in the broader vulnerability management ecosystem.

He also shows the growth trends of specific CWE’s over the years.

Vulnerability Management Program Pack v1.2

Organizations continue to build out robust vulnerability management programs, trying to keep up with the exponential growth of vulnerabilities in their environments. This Vulnerability Management Program Pack is a neat resource that covers key areas such as definitions, remediation SLA’s, reporting requirements and more.

Shift Left is Starting to Rust

I’ve been writing and speaking a lot lately about the challenges of the “shift left” movement, which aims to move security earlier in the SDLC. The problem is that as it turns out, the movement was founded on speculative unsubstantiated studies that claim it is “x” cheaper to fix vulnerabilities earlier in the SDLC.

While shift left makes sense intuitively, to fix vulnerabilities before they reach production and can be exploited, there are various ways the movement has been implemented poorly. These include an over-emphasis on tools, and drowning Developers in a bunch of trash alerts and findings from legacy tools that lack context such as known exploitation, exploitation probability, reachability and business context.

I cover this topic in-depth in a recent article of mine titled “Shift Left is Starting to Rust: A look into the origins of the “shift left” movement, and ways it has been implemented poorly”.

I also had a chance to sit down with DarkReading and provide my thoughts along with other industry leaders on the topic of shift left in an article titled “Shift Left Gets Pushback, Triggers Security Soul Searching”.