Surprisingly, in this context, I frequently came across interfaces that make it difficult to implement certain features using those libraries. There's not a one-size-fits-all implementation yet.
I think you're going to scarcely find a company that has a direct open source -> hire pipeline. However, one of the most valuable parts of contributing to open source that I have personally found is forming connections and having those connections referring you to companies. I encourage you to find a company + project combination that you enjoy, find ways to collaborate, and make relationships. Doing that will likely yield huge dividends.
As someone deeply familiar with this problem (ex-JupiterOne), I'd caution against asserting that 'deep level of customization' is a differentiator. Your buyer (CISO) and userbase (Sec Engs) are drowning. They (and I) don't want yet another product to build on top of. This is a key reason why Wiz is so successful -- an operator can turn Wiz on and immediately receive value, no adjustments or additions needed.
I'd strategically focus on making the 'actionability' part the cornerstone of the product and really become obsessed with making that part of your product incredible. The Goliath-killing story you need will be formed by figuring out how to get your product to the point where someone can turn it on and immediately receive value for the most impactful security problems first (ex: Log4J) and the total surface area of problems the product solves for second.
I would second this. No security person says "I don't have enough problems to look into."
Security spending is down, so navel gazing products are going to be a really hard sell. Figure out how to actually solve problems in an automated/semi-automated way and ship that instead.
The other issue with all of these tools is handling onboarding/integrations and getting terrible visibility as a result. A big market gap I see is a tool that can use the vulnerabilities it discovers to further information collection just like a real attacker would. Found Splunk creds in a log? Awesome, start using them. Syslog in an S3 bucket... boom. You are now hitting the stuff that every other ASM/visualization tool has missed.
Makes sense -- we're focused on fixing problems over just being yet another Jira ticket generator.
> Found Splunk creds in a log? Awesome, start using them. Syslog in an S3 bucket... boom. You are now hitting the stuff that every other ASM/visualization tool has missed.
This is my dream :). This past weekend I was playing around with something where if I clicked on a SecretsManagerSecret node then it'd give me the CLI commands to assume the roles and then retrieve the secret. It'd be neat to take it a step further and be able to click here and get a shell -- I don't think we're _that_ far off from that (but for now to be very clear we're focusing on read-only actions only since a security tool with permissions to do scary things in your environment kinda defeats the purpose).
Thank you, this is very helpful especially given your experience in the space. I intended to frame this like "there are many tools that let a security team can pull in data from the cloud providers and detect misconfigurations, but this becomes soo much more useful when they're able to contextualize it against their internal data". If I'm responding to log4j, I want to know all of the services that are running that affected library, which ones are internet open, and who
in the organization owns it. That last part is key for actionability.
But the claim is that the shortage has been made worse by cage free laws. Any higher cost from cage free laws would already have been part of the price.
Do you have any comments on how to best absorb Ficciones? I read it recently and struggled through the whole book, needless to say, I don't comprehend why many hold that book on such a high pedestal.
Borges is not really an amazing writer, literary-wise. His works are popular because they are essentially mental puzzles in short story form. In this way, he's very similar to most sci-fi writers, which is why both Borges and sci-fi tend to be liked by mathematically-inclined people. These works are praised for their ideas, not their forms.
I interpreted the parent to mean that it might not be fair to assume existing package managers have done a _great_ job at downloading and verifying, especially verifying, resources from the network. There are businesses that exist attempting to solve this problem like socket.io. Safely installing the correct dependencies for a project is still not a guarantee from any of the major package managers.
Wait, CAPTCHAs don't generate or capture any data. It prevents computer automated systems, which were a huge pain at the time. Google then came around and released reCAPTCHA which was using originally books for Google Translate but later Street view photos for Google Maps. That was when dara collection and learning was introduced.
No idea, if you can survive with VR goggles for hours, and you have reasonable VR partners not trying to teach you all kinds of slang and swearwords, then maybe.
