Well hey y’all. I just got hooked up with this space to somewhat-routinely write about vulnerabilities, cybersecurity, and infosec history. I’m currently at runZero, where I’m the vice president of security research, which basically means that I spend most of my time hanging around with some incredibly bright and devoted people who are also cunning and shrewd. We’re all dedicated to the notion that it is, in fact, possible to secure networks by being smart and creative with your approaches to exposure management.
I’m so excited to be writing here, and you might expect me to go on and on about CVE identified vulnerabilities, and the CVE program itself. After all, I’m on the CVE board, and was most recently section chief for the KEV at CISA, and I’ve spent a fair amount of my career managing patch schedules, writing exploits and Metasploit modules, and detecting novel attacks on the network (so I often blather on Mastodon and Bluesky about CVEs).
But you’d be wrong! While I believe that CVEs are an important, even foundational, component of any modern security program (and I will explore aspects of individual CVEs and the program in the future), I’m not convinced that we should be totally infatuated with exploits and bugs. After four decades of personally responding to (and occasionally causing) cybersecurity incidents, it’s become clear to me that most people run into trouble not because they forgot to patch some critical internal database, but because the networking deck is stacked against the defenders.
