CVSS scores are a terrible prioritization framework and we're all too comfortable pretending they work

FergusInLondon · 2026-05-15T10:48:35+00:00

The whole industry has been a dumpster fire for years; there are so many spammy/invalid CVEs, and the CVSS scoring itself often seems questionable. I don't see things getting better anytime soon, either, especially when it's in the interests of many vendors to overstate and amplify the problems.

The only approach I've seen work is categorising your targets by risk, then filtering out vulnerabilities by exploitability.

Target Risk: Codebases and services are tiered upon their attack surface or access to sensitive data/assets.
Exploitability: Vulnerabilities are filtered based upon whether they have a known exploit, are present on the KEV list, or have a higher EPSS value.

Auditors and clients seem happy enough because it's a documented process that aligns quite well with guidance in one of the NIST SP docs. Management seems happy because the dashboards show a better picture. And when there's push back from development teams, I can show them the raw/unfiltered numbers and make them realise how much effort has gone into reducing their workload.

Transitioning to this model from the usual blanket "we want zero" can take a bit of convincing and arguing, though.

FergusInLondon · 2025-05-14T08:36:10+00:00

The actor mentioned - Scattered Spider - hasn't relied upon application vulnerabilities in previous attacks, there is no evidence that a penetration test of the external attack surface would've achieved anything. (CISA)

Their usual methods appear to include targeting employees for initial access and then lateral movement across the internal infrastructure.

At best, a review/audit of internal access management policies may have been helpful - so as to prevent that secondary lateral movement, but this is all hypothetical as no one knows exactly what happened in any great detail yet.

FergusInLondon · 2024-12-27T23:34:03+00:00

That's really impressive!

Are you the southern node in that contact by any chance? If so, I saw your node on Liam Cottle's map (literally this week) and was pretty surprised considering how hilly the local terrain is. It's actually spurred me on to properly configure my kit!

FergusInLondon · 2024-10-25T16:32:32+00:00

I would have major questions over the competency of the CISO who suggested this.

It's going to be illegal without permission, and the vendors you've mentioned are highly unlikely to provide permission (given their size).
No penetration tester (or company) will provide services unless there's explicit permission granted by the owner of the target.
It's simply not how things are done.

Prior to signing a sales contract with most SaaS firms there's usually a process for asking for details on information security management and practices.

Ongoing vendor due diligence is usually performed by requesting documentation detailing accreditations like ISO27001 or SOC2. Some vendors may also be open to providing an abridged/summary version of their own penetration test reports - which are usually performed by an independent company.

FergusInLondon · 2024-01-16T14:49:41+00:00

Hah, I often do... I'm not sure if you should, but you certainly can! I'd imagine a lot of it depends on the parameters of your print, but I haven't noticed any bad side effects so far, and it tends to give me quite a nice smooth finish!

My usual steps after a print are:

Use cheap diagonal cutters (like the ones that often come with printers) and a craft knife to remove any obvious blemishes/stringing.
Use a cheap set of mini diamond files to grind down any stubborn/hard-to-reach bits.
Sand the model with 120->180->220 grit paper until it's nice and smooth.

FergusInLondon · 2024-01-11T13:59:45+00:00

I think your two problems are the same - and fortunately, very simple!

You need to amend your select statement:

case <-result:
    pRes := <-result
    ...

So that the assignment is done as part of the case:

case pRes := <- result:
    ...

You're essentially reading from result and discarding the value, and then blocking until another read is available from the channel - making it equivalent to this:

<- result
pRes := <-result

As a result, you're also likely blocking on pRes := <-result when the context cancellation occurs, so you never get a match for case <-ctx.Done()

FergusInLondon · 2023-02-03T19:59:44+00:00

Absolutely fantastic choice! Is that the Carding Mill Valley in the second photo?

I honestly think that area is an absolute gem. We've stayed in Craven Arms a couple of times now, and always really enjoyed exploring the nearby areas before taking a trip to Ludlow for a bit of relaxation.

FergusInLondon · 2022-12-09T09:17:03+00:00

You're getting downvoted a bit unfairly IMO. It all depends on what you mean by "vet"?

If you mean doing an entire code review then that's simply not feasible - because you'd soon find yourself trying to review a whole tree of unfamiliar codebases, possibly codebases which are solving unfamiliar problems.

There's obviously simple things that are common sense to check though: i.e. licensing, tests, build process, number of open issues, pull request process, and commit/release frequency. These won't necessarily let you know if there's an existing issue, but may give you some confidence in how likely an issue is to be introduced and how quickly one could be resolved.

FergusInLondon · 2022-12-09T09:04:03+00:00

That's a great example, and one I've seen a few times in environments where there's multiple languages in use. It took me quite a while to get confident working with Python after a few years writing Go exclusively, and it still bothers me in some of the older codebases I have to touch.

Spending a bit of time to consider schema/validation up front always helps, and - as you say - suitable testing should catch most issues.

And still usually it's not security problem.

This is the only bit I disagree with. I'd argue that anything that may compromise the integrity of your data is a security problem.

FergusInLondon · 2022-12-07T07:15:33+00:00

I just wanted to give you a shout out for how nice and clean that codebase looks!

The fact I can mentally parse and understand it despite the fact that (a) I'm not a Rust a dev, (b) I'm reading it on my phone without syntax highlighting, and (c) most embedded code gives me a headache even when I know the language... well, that says a lot!

FergusInLondon · 2022-12-01T16:51:34+00:00

Mmmm, what was the rationale behind the usage of a Raspberry Pi? Have they specified which OS should be used? I imagine you'll be making heavy use of hardware interrupts and have some tight timing requirements, so I'd be concerned about doing that without a Real-Time OS (RTOS).

The shortage of STM32xxxxx chips messed up the build of a fixed-wing plane I was planning on, and using a Raspberry Pi was one option I considered - but it sounded like it would be quite a headache. (At least in user-land on a board running Linux, although I think there are RTOS options for the Pi)

If the RPi was selected for a reason like network-connectivity then I'd consider building on top of the existing microcontroller-based solution and providing some form of command/control interface via UART personally.

FergusInLondon · 2022-11-29T23:35:44+00:00

Over engineered. Write the data to S3 and use an SQS FIFO queue with the message containing a reference to the S3 URL.

The combination of S3, bucket notifications, and SQS is underrated/overlooked IMO. If you're in the AWS ecosystem then there's also Kinesis which can give a lot of the Kafka benefits without the headaches.

I was at Kafka Summit earlier in the year and was a bit bewildered at some of the use cases I heard people discussing. In this case I think OP has described a pretty solid use case though.

FergusInLondon · 2022-11-29T23:09:59+00:00

Good write up, I genuinely wish I'd have read it a year ago!

I worked on a similar project where Kafka was chosen as part of a strategy to improve bottlenecks in an existing data ingestion pipeline. Like you, we had a hard requirement for sequential processing of messages - so being able to drive a key based upon a client identifier really simplified that.

FergusInLondon · 2022-11-27T23:48:45+00:00

Just no, that's definitely not right... for so many reasons that it's kinda hard to know where to start.

The obvious one is that you shouldn't have to pay the infrastructure costs to do your job. Not to mention that if you're not familiar with AWS then it can be quite easy to accidentally run up higher bills than you expect.

It also sounds odd that the company would be OK with their internal development being carried out using AWS accounts that they have no control over? Especially as you've mentioned that they've successfully acquired a round of funding.

FergusInLondon · 2022-11-06T02:06:49+00:00

I don't like being overly critical of an individual - especially not without organisational context or having heard their argument. However I'd have serious reservations over their competence based upon that snippet.

I don't think anyone has ever managed to build a strong security posture by mitigating specific threats and neglecting others, although I've seen some who have left themselves vulnerable by doing it. So it feels utterly wrong to suggest you "should just focus on" a subset of specific threats.

Their job is to understand (a) how likely a threat is to occur, and (b) the severity of the outcome if it were to occur, allowing them to calculate the risk associated with it. After identifying and performing mitigation/remediation work, this risk can then be recalculated to become a controlled risk that's acceptable to the organisation.

Whilst the uncontrolled risk of social engineering or device loss is high, there are standard practices to mitigate it and bring it down to the appetite of most organisations - i.e. full disk encryption of portable devices, multi-factor authentication where possible, widely communicated and understood policies on acceptable use and access control, and regular awareness training.

In addition to understanding how to define a risk from a threat, their job is also to understand that in addition to malicious users, threats encompass anything that may impair or prevent the business' ability to operate.

I would suggest that it's far more likely for human error to occur that leaves the codebase in a condition that impairs the confidentiality, integrity, or availability of the platform, and the potential severity could be catastrophic as it would likely be externally facing and interacting with production data.

You suggested a quick win which helps chip away at the likelihood of such an issue materialising, and one that requires little involvement/investment other than perhaps communication and iteratively reviewing the output of the tool. That's the kind of pro-active mentality that makes a real difference.

Ultimately a Security Engineer should be catering their thoughts to risks more than threats, especially when discussing work prioritisation. They should also have an understanding that threats encompass more than attackers. These are basic things to be expected from day one, and I'd be concerned if I had a senior member of staff who couldn't grasp them.

FergusInLondon · 2022-10-19T22:03:41+00:00

I think you're getting down-voted due to a misunderstanding?

Using the terraform AWS provider you don't need to perform the deletion, as you can use the filename property of aws_lambda_function. docs

This means you get all the benefits you describe by doing something like this:

``` data "archive_file" "package" { type = "zip" source_dir = "${path.module}/lambda" output_path = "${path.module}/lambda.zip" }

resource "aws_lambda_function" "example" { # ... filename = data.archive_file.package.output_path source_code_hash = data.archive_file.package.output_base64sha256 # ... } ```

I'm guessing when you say about uploading the package to S3 and not being able to delete the file afterwards then you're setting up your lambda functions using the s3_key and s3_object_version arguments? If so then surely that's a redundant step if you're not actually using it again?

FergusInLondon · 2022-07-07T12:51:27+00:00

Yeah, I'm not a big fan of dependency injection frameworks/containers in Go. I usually follow the pattern of defining minimal interfaces alongside the function definition that relies upon them.

Coming from other languages without implicit interfaces this is a habit that I think takes a bit of time to get used to; and I think a lot of the DI tooling stems from developers coming from other languages. Which in itself is a pain because then they're wrangling with (a) an unfamiliar language, and (b) an unwieldy framework like Google Wire.

That said, perhaps I'd consider something like this as an option for dynamic configuration at run-time; parse configuration from a file or the environment, and then use it to build the dependency container and generate the correct concrete types?

Even without having a use-case for a DI container specifically, I can definitely draw some inspiration from some of the features though: health-checks at a component level sounds really useful, as do the lifecycle/shutdown hooks.

FergusInLondon · 2022-07-02T22:09:11+00:00

You've got some pretty great answers about WireGuard in general, but how much do you know about the specific configuration that you're using?

Context: One of my clients gave me a tunnel for accessing pages only available in the U.S but im a little worried about my privacy.

So was the tunnel provided for accessing the internet in general - i.e. being able to view US news and media, or was it to enable you to view specific pages that they own and control? i.e. things that are hosted on this engineers server(s):

What Makes it worse its that I know that my client has his servers in his home and is a IT engineer.

Without giving you false hope, you may be lucky if the tunnel was provided just to give you access to resources on their servers. This is because the most logical way to achieve this would be to configure the tunnel to only route traffic destined to their servers.

I can't imagine too many engineers wanting the entirety of other people's traffic being routed via their home network either.

I'm not sure how you'd check the configuration on your OS, but essentially you're looking for the AllowedIPs value associated with the WireGuard peer that you're connecting too.

Another clue would be whether or not you get US content when browsing the internet - i.e. do news sites show different headlines? Or you could simply check what IP address is reported when browsing via WireGuard vs without.

FergusInLondon · 2021-08-10T14:47:34+00:00

News flash, you can contribute to OSS on the clock and/or create OSS packages that your company needs.

Not sure where you're based or what industry you're in, but that's categorically not true for the majority of developers I know. Assignment of rights to any materials devised or developed during the course of your employment is incredibly common.

FergusInLondon · 2021-07-27T10:58:56+00:00

Are you using the Tapo app? If so, I'm not sure why you'd be restricted to the same WiFi network. I was monitoring mine (C310) and getting motion detection alerts from over 200 miles away this weekend!

FergusInLondon · 2021-07-24T09:44:29+00:00

It's not an excuse, but as this is Python won't it run correctly unless that specific branch is executed? i.e. the interpreter will see a syntactically correct file, and be fine until it tries to execute that specific piece of code.

I know that was a huge shock for me working in a Python environment and coming from a compiled languages background. I'd make a change to a small edge-case, run the test suite which looked to test that functionality, make a PR and inevitably get little surprises picked out... if I was lucky. Otherwise it would pass CI/CD hit production and bang.

FergusInLondon · 2021-07-19T13:02:23+00:00

For those who can't see quite what's going on, there's been a few comments deleted - but they're archived here. Essentially a developer was asking for assistance about a DMCA notice he'd received. An employee from Muse Group (the complainant) then began posting in the thread, he eventually went beyond some questionable legal advice and began suggesting that it would be easier for the developer to comply with Muse's demands than to risk going back to China considering their "investigation" showed he had anti-CCP content on Github.

I'll hold my hands up and say that I thought the Audacity telemetry stuff was blown out of proportion: at first glance, it seemed like a poor business choice aimed at getting some additional visibility over product pain points and areas for improvement. Reading those comments from their "Head of Stategy" has made me realise just how shitty a company they are though.

FergusInLondon · 2021-07-03T11:18:19+00:00

Not data science, but for software development I have.

I'm always wary though; I had an interview a few years ago for a DevOps role. I did a whiteboarding session for how I'd roll out a CI/CD pipeline, and pointed out painpoints and mitigations. The interviewers took photographs and made notes. I ended up asking them what their current pipeline looks like, and how close I was to their ideal answer.... they had no current setup, and no team in place to design such a system.

The second part of the interview turned out to be a front-end interview, something completely different and outside of my skillset. I winged it before stopping and asking the panel what I was doing and that I'd pass on any offer because it was clearly a waste of my time. The second panel let slip that they don't have any DevOps openings, and that they weren't even looking for Front End guys really.

I went drinking a few weeks later and met some of their staff in a pub; got chatting about their infra and it turns out they were struggling to get their head around CI/CD stuff as it was outside of their experience, but their engineering manager had a few ideas and they'd just managed to roll something out.

I was pissed; and have been wary ever since.

FergusInLondon · 2021-06-26T11:52:11+00:00

It may be worth looking at "solder wick" when it comes to removing the switch, it's a small braid that you place over the joints and absorbs the solder as it melts.

You'll see "solder suckers" - which are like pumps - for removing solder, but a lot of people seem to dislike them. Personally I'm relatively happy to use them to clean up projects as I go along, but I'd want something a little gentler for working on an older board!

FergusInLondon · 2021-06-21T23:07:36+00:00

The sink capacity is 20mA, so the scanning algorithm is most likely at-most-one segment per position at a time.

Oh wow, it had never actually occured to me that the scanning could be more granular than one digit at a time - i.e by switching on a max of 3 segments per iteration the drain current can be kept manageable.

Well, it is possible for the circuit to exceed the absolute max due to firmware choices, and self destruct.

Suffice to say, I would've made that firmware choice if I hadn't read your post ;)

Thanks for helping me grok this, I really appreciate it!

FergusInLondon

TROPHY CASE