A6:2021 | Vulnerable and Outdated Components (8) | Cycubix Docs

Security Information Overload

What’s important?

  • Is my component exploitable?.

  • Is my component an authentic copy?.

    • Do I understand why my component is modified?.

Security information is scattered everywhere

  • Multiple sources of security advisories.

    • 80,000+ CVEs in the National Vulnerbility Database.

    • Node Security Project, Metasploit, VulnDB, Snyk, …​

    • Thousands of website security advisories, blogs, tweets, …​

  • 600,000 GitHub events generated daily.

    • 700 GitHub security related events.

    • Release notes, change logs, code comments, …​


  • It is not reasonable to expect a developer to continually research each component.

  • Developers are not security experts; they already have a day job.

Last updated