A6:2021 | Vulnerable and Outdated Components (8) | Cycubix Docs

Security Information Overload

What’s important?

• Is my component exploitable?.
• Is my component an authentic copy?.
  • Do I understand why my component is modified?.

Security information is scattered everywhere

• Multiple sources of security advisories.
  • 80,000+ CVEs in the National Vulnerbility Database.
  • Node Security Project, Metasploit, VulnDB, Snyk, …​
  • Thousands of website security advisories, blogs, tweets, …​
• 600,000 GitHub events generated daily.
  • 700 GitHub security related events.
  • Release notes, change logs, code comments, …​

Summary

• It is not reasonable to expect a developer to continually research each component.
• Developers are not security experts; they already have a day job.