🚨Five Eyes Trends on Exploits: Insights from the 2023 Top Routinely Exploited Vulnerabilities Earlier this week, the cybersecurity agencies of the Five Eyes nations—the U.S., U.K., Australia, Canada, and New Zealand—issued a stark warning that highlights a new reality: zero-day vulnerabilities are becoming the “new normal” in cyber exploits. This marks a significant departure from 2022 and 2021 when older, more established vulnerabilities were most frequently targeted. Today, adversaries are increasingly exploiting freshly disclosed zero-day vulnerabilities, often within hours of discovery. The advisory reveals that many of these targeted devices (think of VPNs, SSL gateways, and remote management consoles) are on the periphery of an organization’s network. Do you recognize a trend here? 👀 These edge devices are prime targets and typically lack robust logging or agent-based monitoring capabilities. It can challenging for organizations to know when these type of devices have been pwned. Organizations frequently face a race condition with adversaries— from initial exploitation of the vulnerability, to community recognition, vendor patch release, and eventual patching by the organization. This trend underscores the importance of employing Zero Trust principles, where nothing is blindly trusted within the network. A properly architected Zero Trust and Secure Access Service Edge (SASE) approach can enable organizations to detect and block adversaries before they can cause significant compromise. The advisory explicitly encourages leveraging CISA’s Zero Trust Maturity Model (ZTMM) and the Department of Defense’s Zero Trust guidance, pushing organizations toward a resilient, secure-by-design architecture. As the UK’s NCSC CTO Ollie Whitehouse observed, this “new normal… should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks.” To combat this, network segmentation and SASE solutions can play a critical role in halting lateral movement and keeping this “new normal” in check. 🛡️ With the right architecture, organizations can mitigate risks and stop threats before they gain a foothold. Full disclosure: I am a co-author of CISA's Zero Trust Maturity Model. The Five Eyes CSA is attached. The NCSC’s website with Mr. Whitehouse’s comments is cited in the comments. #technology #softwareengineering #programming #strategy #computersecurity #cloudcomputing #informationsecurity #zscaler #riskmanagement #cybersecurity #zerotrust
Building Trust In Software
Explore top LinkedIn content from expert professionals.
-
-
As an industry, we’ve poured billions into #ZeroTrust for users, devices, and networks. But when it comes to software - the thing powering every modern business, we’ve made one glaring exception: OPEN SOURCE SOFTWARE! Every day, enterprises ingest unvetted, unauthenticated code from strangers on the internet. No questions asked. No provenance checked. No validation enforced. We assume OSS is safe because everyone uses it. But last week’s #npm attacks should be a wake-up call. That’s not Zero Trust. That’s blind trust. If 80% of your codebase is open source, it’s time to extend Zero Trust to the software supply chain. That means: • Pin every dependency. • Delay adoption of brand-new versions. • Pull trusted versions of OSS libraries where available. #Google's Assured OSS offering is a good one for this. • Assess health and risk of malicious behavior before you approve a package. • Don’t just scan for CVEs—ask if the code is actually exploitable. Use tools that give you evidence and control, not just noise. I wrote more about this in the blog linked 👇 You can’t have a Zero Trust architecture while implicitly trusting 80% of your code. It's time to close the gap and mandate Zero Trust for OSS. #OSS #npmattacks #softwaresupplychainsecurity
-
I am a software engineer at Google who's worked in the UK, USA, and India offices, all because of the opportunities I've had here. During my first 3 months at Google, I went through the official Google guide on "How to handle reviewer comments" on a CL (which is like a pull request)...If you're a junior engineer reading this, always remember this: 1 // Don’t take it personally. When someone reviews your code, it’s not about you. It’s about the codebase. It’s about the company. And it’s about long-term quality. Think of it like this: If someone says, “This logic is unclear,” they’re not saying you’re unclear. They’re saying, “This piece of code won’t make sense to the next engineer who reads it 6 months from now.” It’s a conversation, do not get offended, but seek clarity… 2 // Clarify the code, not the comment box. One mistake I used to make early on: When someone didn’t understand my code, I’d explain it in the review thread. But the real fix is this: make the code speak for itself. If your reviewer doesn’t get it, a future dev won’t either. Rewrite. Refactor. Add a comment if needed. The review thread is temporary. The code is forever. 3 // Don’t react. Respond. Some feedback will sting. Some comments will be blunt. That’s okay. Never respond in anger. Walk away if you have to. Think. Reflect. Then respond with clarity and respect. Some of my biggest growth moments have come from pull requests where I was wrong, and someone cared enough to show me how to do it better. So here’s my advice: Treat code reviews as part of your learning loop. That will make you a better teammate and a better engineer.
-
Trust in Business: A Reality Check! Every entrepreneur, at some point, has heard or said this: "Business is all about trust." But is it really that simple? Can we afford to operate solely on verbal commitments and handshakes? The truth is, trust in business is not a one-size-fits-all concept. It’s not something that can be learned from a book, nor does it come with a universal definition. In fact, the more experience you gain, the more you realize that trust should never replace structured processes, legal agreements, and financial accountability. Business isn’t just about relationships—it’s about responsibilities. A well-drafted agreement does not mean you distrust someone; it simply means you respect the clarity and professionalism that a structured system brings. If a business is built on strong fundamentals—clear contracts, transparent financial dealings, and structured workflows—then the dependency on blind trust diminishes. The most successful companies in the world don’t run on mere promises; they run on well-documented processes and accountability at every level. So, if you want to protect yourself from business losses and bad partnerships, follow these rules: ✔️ Always have written agreements – Whether it's a partnership, client contract, or vendor deal, documentation protects both parties. ✔️ Trust actions, not words – Observe how someone handles their commitments before placing your faith in them. ✔️ Follow financial discipline – Keep track of payments, invoices, and financial statements. A healthy cash flow is better than blind trust. ✔️ Set clear expectations – Define roles, responsibilities, and accountability in every business transaction. Over the years, I’ve met countless professionals who learned the hard way that misplaced trust can be costly. Business is about collaboration, but it is also about safeguarding your interests. If you rely only on trust without systems, you’re setting yourself up for unnecessary risks. At the end of the day, trust is valuable—but only when backed by solid business fundamentals. If you build a business on strong agreements and ethical behavior, trust will follow naturally. What are your thoughts on this? Have you ever faced challenges due to misplaced trust in business? #businessfundamentals #startup #business #entrepreneur
-
Most corporate fraud doesn’t start with criminals. It starts with silence. With dashboards no one questions. With reports no one reads. With risks everyone assumes are “under control.” I’ve seen this many times over the years. A company growing fast. Numbers looking healthy. Leadership feeling confident. And underneath? Blind spots everywhere. Small anomalies ignored. Weak signals dismissed. Early warnings buried in emails and spreadsheets. Because “nothing has happened yet.” And for a while? That works. No incidents. No scandals. No headlines. Until one day… Everything happens at once. The fraud. The breach. The reputational crisis. And suddenly, everyone asks: “How did we not see this coming?” The truth is uncomfortable: They did. They just didn’t look closely enough. Intelligence isn’t about collecting more data. It’s about asking better questions. It’s about challenging assumptions. Connecting weak signals. Acting before damage is visible. The best organizations I’ve worked with understand this: • They monitor continuously • They question their own controls • They invest in intelligence early • They reward people who raise risks Because prevention is invisible. Until it isn’t. You can recover money. You can rebuild systems. But trust? That’s much harder to restore. Reduce blind spots before they become headlines. 🤔 What’s your experience? - 🧠 Repost to support a professional in your network. Follow Alex Lozano for more insights on OSINT and corporate intelligence. Want access to 40+ OSINT cheat sheets? Download them for free: https://lnkd.in/duz5CE2p
-
Most enterprises think Zero Trust is a policy. In reality, it’s a timer. Because security isn’t about who has access it’s about when and for how long. Traditional privilege models give permanent access. Just-In-Time (JIT) frameworks give temporary authority based on verified need. And that difference changes everything. Standing privileges are the new security debt quiet, invisible, and compounding risk over time. Here’s how Multi-Dimensional Time-Based Access Control (MTBAC) actually works in modern systems: 1- Time Dimension → Ephemeral Authorization ↳ Access tokens expire after defined durations. ↳ No persistent credentials to exploit post-task. 2- Context Dimension → Conditional Access Logic ↳ Every request checks identity, environment, and purpose. ↳ Code examples define access by situation, not status. 3- Intent Dimension → Verified Purpose Mapping ↳ Each permission includes metadata describing why it exists. ↳ Authorization requires declared and validated intent. 4- Event Dimension → Real-Time Revocation Hooks ↳ API endpoints terminate access instantly when conditions change. ↳ No waiting for admin approval. on_event("network_change"): revoke_all_sessions(user_id) 5- Audit Dimension → Immutable Activity Trail ↳ Every grant and revoke is cryptographically logged. ↳ Transparency replaces trust. This architecture doesn’t just improve control. It removes static trust from the system entirely. Because in the new access paradigm, privilege is no longer a possession it’s a request. The strongest security posture isn’t permanent restriction. It’s ephemeral validation. And the real Zero Trust transformation won’t come from new tools but from redefining how time, context, and intent govern access. ↝ If you want to explore how Just-In-Time access frameworks move from theory to implementation, follow me, Aditya Santhanam, for technical blueprints and code-level architecture guides. ♻ Share this with a security architect still granting privileges instead of governing them.
-
𝐖𝐡𝐲 𝐰𝐨𝐮𝐥𝐝 𝐈 𝐫𝐞𝐯𝐢𝐞𝐰 𝐲𝐨𝐮𝐫 𝐏𝐑? 𝐘𝐨𝐮 𝐡𝐚𝐯𝐞 𝟏𝟎 𝐲𝐞𝐚𝐫𝐬 𝐦𝐨𝐫𝐞 𝐞𝐱𝐩𝐞𝐫𝐢𝐞𝐧𝐜𝐞 𝐭𝐡𝐚𝐧 𝐈 𝐡𝐚𝐯𝐞. Early in my career, I said this to a Senior Engineer. I thought code reviews were just a "safety net" for juniors. I thought seniority meant you had stopped making mistakes. His reply changed my 𝐓𝐞𝐚𝐦 𝐎𝐒 forever: “If you don't review my work, you don't learn how I think. And if I don't get your eyes on it, I lose the chance to be questioned. The day I’m 'too senior' to be reviewed is the day I stop growing.” That conversation stayed with me for 15 years. Later, I saw the opposite. An Architect who only shared Design Docs with other Architects. It evolved into classic “ivory tower architecture”, decisions made far from the people who had to live with the consequences. The result? • Privilege replaced trust. • Knowledge became a bottleneck. • Juniors learned that their silence was expected. That is how 𝐜𝐨𝐥𝐥𝐚𝐛𝐨𝐫𝐚𝐭𝐢𝐨𝐧 𝐜𝐮𝐥𝐭𝐮𝐫𝐞𝐬 die. 𝐒𝐞𝐧𝐢𝐨𝐫𝐢𝐭𝐲 𝐢𝐬𝐧'𝐭 𝐚 𝐬𝐡𝐢𝐞𝐥𝐝 𝐟𝐫𝐨𝐦 𝐜𝐫𝐢𝐭𝐢𝐜𝐢𝐬𝐦. It’s a platform for transparency. When Seniors keep their work in a "private club," they aren't saving time; they are creating a 𝐒𝐢𝐧𝐠𝐥𝐞 𝐏𝐨𝐢𝐧𝐭 𝐨𝐟 𝐅𝐚𝐢𝐥𝐮𝐫𝐞. If the context only lives in your head: • You scale output, not judgment • You become the bottleneck • You can never truly unplug When a Junior reviews a Senior’s Work: 1️⃣ The Junior gains 6 months of context in 60 minutes. 2️⃣ The Senior is forced to simplify, and simplicity is the hallmark of great engineering. 3️⃣ The "Bus Factor" of the team doubles instantly. 𝐈𝐧 𝐬𝐭𝐫𝐨𝐧𝐠 𝐭𝐞𝐚𝐦𝐬, 𝐜𝐨𝐦𝐦𝐮𝐧𝐢𝐜𝐚𝐭𝐢𝐨𝐧 𝐢𝐬 𝐛𝐢-𝐝𝐢𝐫𝐞𝐜𝐭𝐢𝐨𝐧𝐚𝐥. Seniority isn’t where questioning stops. It’s where the openness should be highest. #EngineeringLeadership #CodeReview #WorkCulture #TeamOS
-
Zero Trust is a cybersecurity principle that operates on the assumption that threats can exist both outside and inside traditional network boundaries, challenging the conventional "trust but verify" model that inherently trusts users and devices within a network perimeter. Instead, Zero Trust mandates "never trust, always verify," meaning that no entity, whether inside or outside the network, should be automatically trusted and must be verified before granting access to resources. Core Principles of Zero Trust Least Privilege Access: Grant users and devices the minimum level of access, or permissions, needed to perform their tasks. This reduces the attack surface and limits the potential damage from breaches. Microsegmentation: Networks are divided into smaller, distinct zones. Access to these zones requires separate authentication, which limits an attacker's movement within the network. Multi-Factor Authentication (MFA): Requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction, which significantly reduces the likelihood of unauthorized access. Continuous Monitoring and Validation: Regularly verify the security posture of all devices and users, continuously monitoring for threats and anomalies to ensure that security is not compromised. Security Policies and Enforcement: Implement comprehensive security policies that govern access decisions and enforce them through automated systems. Implementation of Zero Trust Implementing a Zero Trust architecture involves a holistic approach to network security that includes technological, operational, and procedural changes. Key components often include: Identity and Access Management (IAM): Systems that ensure the right individuals access the right resources at the right times for the right reasons. Endpoint Security: Protecting endpoints, such as laptops, desktops, and mobile devices, from malicious activities and threats. Network Segmentation: Dividing the network into segments to control traffic flow and limit access to sensitive areas. Data Encryption: Encrypting data both at rest and in transit to protect its integrity and confidentiality. Benefits of Zero Trust 1. Enhanced Security Posture 2. Data Protection and Privacy 3. Compliance 4. Adaptability to Modern Environments In summary, Zero Trust is a strategic approach to cybersecurity that shifts the paradigm from a perimeter-based defense to a model where trust is never assumed and verification is central to access decisions. This approach is increasingly relevant in today's dynamic and distributed IT environments, where threats can originate from anywhere.
-
"Trust the Process" I remember hearing that advice when I first got into Agile. The people who said it were well-intentioned, of course. They were encouraging patience when progress wasn't immediately visible. That’s often the case in complex work (or personal growth). Outcomes generally lag behind effort, so there's a temptation to abandon new processes prematurely. The advice is meant to be reassuring - a reminder that well-designed processes, when followed with discipline, tend to produce results over time even if the benefits aren't immediately obvious. It's about staying committed long enough for the process to work as intended. Unfortunately... it's lazy advice. It sounds profound, but it's a deflection. It shuts down questioning by implying the process is infallible (or immutable) or that your skepticism is somehow the problem. Yeah, you shouldn't trust the process. You should interrogate the process. Understand it, challenge it, adapt it if necessary. Blind trust in a process is how bad systems persist. Trust outcomes. Trust evidence. Trust the people willing to adjust the process when it stops serving its purpose. "Trust the process" is usually what people say when they have no better answer. Trust yourself.