Darren Meyer
@darrenpmeyer.bsky.social
#AppSec and #DevOps weirdo (which I guess means #DevSecOps), researcher, and #Coffee nerd. My employer doesn't necessarily share my opinions. I'm also @darrenpmeyer@infosec.exchange
Reposted by Darren Meyer
🎖️ CISA (US Cybersecurity & Infrastructure Security Agency) pleged continued support of the CVE program, an important message after April’s de-funding scare.
August 12, 2025 at 2:42 PM
🎖️ CISA (US Cybersecurity & Infrastructure Security Agency) pleged continued support of the CVE program, an important message after April’s de-funding scare.
Reposted by Darren Meyer
🙂 The AppSec Village at DEFCON33 ran, with many engaging and educational talks. Keep an eye on the YouTube channel, but be patient – it can take a few months.
August 12, 2025 at 2:42 PM
🙂 The AppSec Village at DEFCON33 ran, with many engaging and educational talks. Keep an eye on the YouTube channel, but be patient – it can take a few months.
Runtime security is important. But it's inherently reactive — it's a back up for proactive controls. Get to a point of acceptable risk before deploy; use runtime to deal with risks that are hard to detect before you ship, or that arise after deployment (such as newly-reported vulnerabilities).
July 28, 2025 at 5:33 PM
Runtime security is important. But it's inherently reactive — it's a back up for proactive controls. Get to a point of acceptable risk before deploy; use runtime to deal with risks that are hard to detect before you ship, or that arise after deployment (such as newly-reported vulnerabilities).
Security Champions are empowered to make routine security decisions, educated to help their teams follow the security policies and programs that apply to them, and relied upon to provide valuable feedback to the security teams about places where the program needs improvement or adjustment.
July 16, 2025 at 5:33 PM
Security Champions are empowered to make routine security decisions, educated to help their teams follow the security policies and programs that apply to them, and relied upon to provide valuable feedback to the security teams about places where the program needs improvement or adjustment.
Security Champions aren't "bonus staff" for the security team. They're trusted partners in building a security culture. As a bonus, you get a network of trained rapid-responders when there's a high-priority issue.
July 16, 2025 at 5:33 PM
Security Champions aren't "bonus staff" for the security team. They're trusted partners in building a security culture. As a bonus, you get a network of trained rapid-responders when there's a high-priority issue.
And then leaders are confused that this fails, and ultimately decide that champions programs don't work.
A Security Champions Program should work more like a Safety Warden program. The goal is to create a network of people who act as liasons between their teams and the professional security teams.
A Security Champions Program should work more like a Safety Warden program. The goal is to create a network of people who act as liasons between their teams and the professional security teams.
July 16, 2025 at 5:33 PM
And then leaders are confused that this fails, and ultimately decide that champions programs don't work.
A Security Champions Program should work more like a Safety Warden program. The goal is to create a network of people who act as liasons between their teams and the professional security teams.
A Security Champions Program should work more like a Safety Warden program. The goal is to create a network of people who act as liasons between their teams and the professional security teams.
I went that route last year; even for gaming, Linux has been just solid and very low problems (went Manjaro on my main desktop and Laptop, and the kids’ gaming rigs)
July 8, 2025 at 3:25 PM
I went that route last year; even for gaming, Linux has been just solid and very low problems (went Manjaro on my main desktop and Laptop, and the kids’ gaming rigs)
Practically speaking, if you want to do business with the US government, you're still going to want to meet those requirements unless you have a fairly narrow scope of business that only includes agencies that won't adopt such requirements.
June 10, 2025 at 12:39 PM
Practically speaking, if you want to do business with the US government, you're still going to want to meet those requirements unless you have a fairly narrow scope of business that only includes agencies that won't adopt such requirements.
Orgs no longer need to universally supply #SBOM docs or produce machine-readable #SSDF attestations. BUT, it doesn't end current requirements or stop agencies from acting on their own. This isn't really surprising given the administration's priorities and related positions.
June 10, 2025 at 12:39 PM