Microblog
avatar
Oct 16, 2024Supply Chain Security

I've been rabbit-holing into Supply Chain Security over the last couple of months. After speaking to tens of security leaders and trying almost all existing products on the market, I'm convinced that the tools haven't evolved much since the early movers in the space — most of the fast-followers are largely trying to play catch-up.

Why do most Software Composition Analysis (SCA) tools (for lack of a better word) suck? Here's what I've found:

  • Shift-left Kool-Aid: It's true, you want to catch security vulnerabilities early in the lifecycle. But the goal is automation, not just redistribution of tasks. Your SCA tool enables developers to detect new vulnerabilities, and even suggests what version to upgrade to — but doesn't give any information on how to make that decision. Ask any developer and they'll tell you upgrades aren't that easy.
  • Lack of context: Raw vulnerability data isn't enough. The "realistic" impact of a CVE goes beyond just the CVSS and EPSS scores — it depends on the context of the application, the environment, and the data it processes. Most SCA tools don't provide this context, and leave it to the security team to figure out. This is how you end up with hundreds of vulnerabilities in your backlog, most of which are irrelevant.
  • No baseline analysis: Most SCA tools don't provide a baseline analysis of your application's dependencies. This means you can't tell if a new vulnerability is introduced in a pull request, or if it was always there. Breaking CIs on every commit is how you make developers hate security.
  • One-size-fits-all remediation: The "upgrade to the latest version" advice is a lazy way to remediate vulnerabilities. It's not always possible, and sometimes it's not even the best solution. In my research, almost no SCA tools show you alternative remediation strategies, or even the impact of each strategy.

At DeepSource, we think this is a valuable problem to solve. Modern software is built on a complex web of dependencies, and the security of your application is only as strong as the weakest link in this chain. We're working on a new kind of SCA tool that challenges the status quo. I'm excited to share more about this in the coming weeks.

avatar
Sep 19, 2024Working in serial

I recently came across Walter Isaacson on Lex Fridman's podcast talking about Elon Musk's work ethic. Isaacson says that Musk is able to focus sequentially on many different things in a day, and he gives his 100% attention to each task at hand regardless of the number of other things he has to do that day.

As founders, even an incremental change in your productivity can mean a step change in your startup's overall productivity. Founders are often the bottlenecks, after all. There's so much advice around "unblocking your team", but I think just getting more things done might be a better way to improve the rest of the team's productivity.

So I've started worked in serial since the last few weeks. Every Monday, I assign a broad focus area for each day in the week, depending on the most impactful work I can do for the company at that time. I try not to complicate things by planning too much — a broad focus every day is enough. I create all-day events for each focus area without blocking the calendar, so I can still have other meetings during the day. Every day, apart from the meetings, I'm only working on the focus area.

Serial Focus Calendar

It's been only three weeks since I've started doing this, and it has already been the most productive weeks for me this year. I've been pleasantly surprised how much I was able to get done across several completely different areas of work.

Maybe this Elon guy is onto something.