The fight against ransomware is going global — maybe.

An 81-page report released late last month by the Institute for Security and Technology’s Ransomware Task Force (RTF) and backed by dozens of tech organizations including giants like Microsoft, Cisco, Amazon Web Services, and FireEye, is calling for a public/private coalition to “disrupt the ransomware business model,” which it says has become “an urgent national security risk around the world.”

Among the government agencies represented in the RFT are the U.S. Department of Justice, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the Secret Service, the FBI, Europol…

“Keep your software up to date,” is a constant mantra from cybersecurity experts.

For good reason. Failing to patch vulnerabilities in your software — especially when those vulnerabilities are known and there are patches available to fix them — is a bit like leaving the vault open at night. It’s an open invitation to cyber criminals.

But keeping software up-to-date is not always as simple as getting a notification from a vendor, clicking the “update-now” button, and then watching the little circle fill in, or the progress bar tell you how many minutes or seconds left before it’s installed.


The president has made a good start. But it’s executing on a strategy that is the hard part


No president’s legacy should depend solely on what happens in the first 100 days of his administration. That’s less than 7% of a single term.

But for better or worse, 100 days has become a marker for new presidents, both for what to expect and what an administration may be able to accomplish. It’s a “honeymoon” when major policy initiatives have the best chance of getting through even a divided Congress.

All of which leads to this week and a small avalanche of analysis about President Joe Biden’s trajectory on everything from the pandemic to climate change, immigration, infrastructure, taxes…

Photo by Christina @ on Unsplash

If software is eating the world, as venture capitalist, Mosaic creator and Netscape cofounder Mark Andreessen famously said a decade ago, then one variety of software — open source — is now doing virtually all the eating.

That’s one of the major findings of the sixth Open Source Security & Risk Analysis (OSSRA) report, released last week by the Synopsys Cybersecurity Research Center (CyRC).

Not that this is at all a surprise. It simply confirms an ongoing trend. Open source software has been a majority of all existing codebases for years. It’s just that every year it’s a bigger majority.

Photo by FLY:D on Unsplash

If you have never heard of the BSIMM or OWASP SAMM, you need to read this, if only to find out what the heck they stand for.

But more importantly, because they can help you keep your software secure. And that’s something you really need to do. Really.

As boring and esoteric as it may sound, software security is just as important—now even more so—than putting locks on your doors, making sure you don’t misplace your wallet and, for businesses, making sure only employees get into your building and keeping your intellectual property safe.

These days, both your physical and…

“If it ain’t broke, don’t fix it,” is one of the all-time common-sense clichés. Which makes the corollary true as well: If it is broke, fix it.

But what if you don’t know it’s broke? It would help if somebody would let you know.

And in the world of software, issuing those warnings is the goal of the Common Vulnerabilities and Exposures (CVE) Program, launched in 1999.

The need is obvious. Software essentially runs the modern world. It’s everywhere and in just about everything. It’s also made by humans, which means it’s not perfect. …

Photo by ThisisEngineering RAEng on Unsplash

“Keep your stuff up to date” is one of the closest things to a religious mantra in cybersecurity. And that means everything — your networks, your systems, your applications.

For good reason. If you don’t apply patches when they become available, you’re asking for trouble because malicious hackers know, just like everybody else, when vulnerabilities become public and immediately start looking for organizations that are too distracted or clueless to apply those patches.

Fail to update and you’re in effect asking to be the next Equifax, the credit bureau giant breached in 2017 after it failed to install a patch…

Photo by Michael Geiger on Unsplash

What’s in a name?

As we all know, that iconic Shakespearean question applies to way more than an Elizabethan-era family feud intruding on adolescent romance.

It has, for generations, applied to everything from diseases to galaxies, insects, musical groups, teams, commercial products, and more. Sometimes things are named for a famous person (Lou Gehrig), a place (Lyme), a classic myth (Andromeda), the founder of an enterprise (Ford), an historic gold rush (49ers) or perhaps the major industry in a company town (Packers, Brewers).

But it also applies now — at least in some cases — to the weapons and vulnerabilities…

Photo by Douglas Bagg on Unsplash

Suddenly, “supply chain” is hot. Suddenly, a term that usually tends to make eyes glaze over unless you’re a member of the green-eyeshade accounting fraternity, is in the headlines, even leading the mainstream evening news.

Because, as the recently discovered cyberattack on SolarWinds/Orion illustrates, a weak link in the supply chain can break every other link on that chain. Even if there are 18,000 or more of them.

SolarWinds, which provides system management tools for network and infrastructure monitoring, has an IT performance monitoring system called Orion.

The thumbnail version of the story is that hackers were able to inject…

Photo by Christina @ on Unsplash

International Women’s Day — today! — is one of those classic good-news/bad-news events. Especially when it comes to women in technology.

On the good side, the event has demonstrated major staying power. It began more than a century ago — the first was in 1911 and was observed by more than a million people. This year it involves hundreds of millions, if not billions. It is a national holiday, or partial holiday, in more than two dozen countries although, notably, not in the U.S.

Its advocacy has yielded measurable results. In the U.S., women are close to half of the…

Taylor Armerding

I’m a security advocate at the Synopsys Software Integrity Group. I write mainly about software security, data security and privacy.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store