Interesting range of responses, from "0-day is zero days since exploit (using the vuln burns the 0-day, and it's not a 0-day anymore)" to "0-day is zero days of prior disclosure to vendor before release" to "0-day is zero days of fix/patch availability"
I "grew up with" the strictest of those — a 0-day is something no one but the attacker is aware of; once it's out, it maybe WAS a 0-day but isn't anymore
You don't need that kind of risk methodology in most cases. In fact, I'd argue that it will usually do more harm than good. What you need isn't usually to quantify your risk, it's:
• identify your security priorities
• have a sound, defensible business case for your security spending
The actuarial definition of risk (an annualised expectation of loss that's single loss amount • annual frequency) is a bit of an albatross around the neck of most infosec practice
Very few orgs are going to have the data or discipline to even use it, so they make guesses. Guesses create (sometimes extreme) bias, while the air of "using a formula" hides those biases
I have family members who fought this sort of treachery as late as the 1980's, and one still living fighting for labor rights since the 1940's... I may not be them, but I learned from some hard, hard coal miners that you don't roll over.
Sometimes when I'm in the shower I think about all the sketchy shit I've learned about politics and money and wealth over the years. I find myself wishing that I'd known this stuff as a kid, maybe I'd have been taught by my parents.
Then I realize that's the point.
Folks who are wealthy and powerful learn this stuff almost from the get-go. It's part of how they're raised and conditioned and trained. The rest of us - not so much.
I use both Google Chrome and Alfred for macOS, and I often need to make a Markdown-format link to a page. So I made an Alfred Workflow to do that
Type `mdlink` in Alfred and it pastes a Markdown-style link using the title and URL of Chrome's frontmost tab
`.alfredworkflow` file is available in the Releases area here: https://github.com/darrenpmeyer/alfred-chrome-current_tab_link
I'm hiring at least 4 application security engineers. You a decent #pentester, know your way around Ghidra or IDA, programmer who groks security stuff, or OS expert? Wanna break security software? Want your findings to actually get fixed? This could be your thing, DM me!
Fully remote-first, distributed team and company, solid comp and benefits
This is an impressive run.
I'm #hiring another Senior #AppSec engineer at CrowdStrike. This role focuses on assessing the security of various on-device sensors, including threat modeling, testing, and code review. Knowledge of OS internals is a huge plus, especially macOS or Linux. #getfedihired #nowhiring
Application Security @ CrowdStrike ; but opinions are mine. Part-time coffee and Arduino nerd.
A Mastodon instance for info/cyber security-minded people.