Jay Jacobs and I recently delivered an RSA presentation called Quantifying the Probability of Flaws in Open Source. Since many people didn’t get a chance to see it, I thought I’d summarize some of the findings here for posterity. The question we investigated was simple, at least conceptually:…

Years of accumulated security debt due to unaddressed software vulnerabilities and inadequate security configurations plague the applications that support our government functions. The age and size of applications play a significant role in the accumulation of security debt. The State of Software…

Today, I’m proud to share our 14th annual State of Software Security report. Our 2024 report shines a spotlight on the pressing issue of security debt in applications, and it provides a wake-up call to organizations worldwide. The demand for speed and innovation has resulted in the accumulation of…

December 9 marks two years since the world went on high alert because of what was deemed one of the most critical zero-day vulnerabilities ever: Log4Shell. The vulnerability that carried the highest possible severity rating (10.0) was in Apache Log4j, an ubiquitous Java logging framework that…

Software development is ever-evolving, and with that demand for innovation and scale comes the need to ensure software is secure. Many enterprise organizations have invested in AppSec to help them identify security flaws throughout the development process. However, within higher education, secure…

When I studied computer science in college, the curriculum wasn’t designed to teach all the different programming languages with the goal of becoming as “multi-lingual” as possible. Instead we focused on conceptual areas -- data structures, machine structures, algorithms, etc. The languages with…