Tom Alrich is a supply chain cybersecurity consultant and blogger, focusing on software bills of materials and NERC CIP-013.
Recent Posts by Tom Alrich:
by Tom Alrich, on May 12, 2022 8:46:39 PM
I recently wrote two posts (the second one is here) about a chilling revelation that Tom Pace of NetRise made at an informal meeting I recently attended. NetRise specializes in firmware security, and Tom has noted that a huge percentage of software and firmware products aren’t registered at all in the National Vulnerability Database (NVD), meaning there’s no CPE name registered for the product. This means there has never been a single vulnerability reported for the product. Thus, if …Read Story
by Tom Alrich, on May 9, 2022 1:37:51 PM
A recent post described a presentation I saw last Friday by Tom Pace of NetRise, describing what seems to be a huge security problem. To summarize it: Do you think products with a lot of open vulnerabilities - as indicated by CVE’s listed for the product in the National Vulnerability Database (NVD) - are dangerous and should be avoided? If so, you’re right. By the same token, do you think a product with no open vulnerabilities – …Read Story
by Tom Alrich, on May 2, 2022 12:37:59 PM
I’ll be honest: It’s been quite a while since I seriously worried about anything in cybersecurity other than software vulnerabilities. Almost every serious cyberattack you can name in the last say five years, including Not Petya, SolarWinds, Kaseya, and literally every ransomware attack, was either based on or enabled by at least one software vulnerability. Of course, when the average cybersecurity person thinks about software vulnerabilities, they probably think of badly-trained (or simply incompetent) software coders …Read Story