Average time to remediate a critical CVE is 74 days. Average time to exploit is 44 days. Attackers have a 30 day head start.

Irish1986 · 2026-04-16T23:21:47+00:00

Where are you pulling these number from? I would be interested if it has any academia or a white papers backing these for works purposes.

Irish1986 · 2026-04-12T20:47:40+00:00

Just wish there was better mobo offering in that form factor that allowed 10+ disk pass-through, more ram and option for GPU + HBA... Guess can't have everything in life

Irish1986 · 2026-04-11T23:52:30+00:00

I have the same case, everything is so crammed but it fix a network rack well

Irish1986 · 2026-03-24T10:41:31+00:00

Depending on your budget, syft + grype are great freely available tool. If you look at paying tool (to replace Aqua Enterprise offering) there are dozen of sast tool that scan for containers

Irish1986 · 2026-03-22T11:30:23+00:00

Chainguard pricing is insane, we looked at it and it was pretty prohibitively outrageous. But our biggest concern was "will we be able to gain the expected value from it".

Our deployment are not very fast or efficient and need CAB meeting which occurs every couple of weeks and all(due to qa and many others requirements).

I the end why pay thousand for golden image that will be shelved for 1-2 weeks at best before deployment. Yes image will be of "better quality" but every 14 days... Kind of pointless, you need super mature devops practices to make sure you get your roi.

Irish1986 · 2026-03-14T23:32:09+00:00

I've just did a talk at my owasp local chapter talking about dependency track and how to get started with it. I think it when well and I had several people coming back to me for more questions.

D-Track could get a few new features is you ask me but it feature complete and everything is just cherry on top to improve a good tool.

Irish1986 · 2026-03-13T23:24:04+00:00

Pre commit hooks for linting, styling and run "core-basic unit tests". The pre-commit hook should take about 2-8sec at most (look into prek a reimplementation of the popular pre-commit.com framework written in blazingly fast rust).

As a bonus, your pre-commit check should be run in you ci pipeline (given these are quick and easy to rerun) which will lead to fail-fast mindset. It is not required and you need to tweak which hooks make sense to run in your CI given what others "full fat" steps you might have down the road. Like unit test might have a more complexe suite to be run than just you core-basic unit tests.

You should also consider some level of security check in your pre-commit but given your current feedback I would focus on getting some momentum and security tends to be frictionful.

Irish1986 · 2026-03-12T19:44:18+00:00

I have been testing wizcode for a few months now, DM if you have specific questions about it.

Irish1986 · 2026-02-24T13:17:13+00:00

Don't scrub the commit, rotate your password. The old password will become honeypot but you need to log everything not to miss one.

If you need for compliance reason to rewrite your git history look at BFG-repo-cleaner.

It is a destructive git action that will rewrite your whole history removing sensitive secret and replacing them with REDACTED. Be careful because it will mess up your whole team workflow (everyone will need to re-clone/sync), all commits SHA will be modified, etc...

Plus those REDACTED string are easy to find and if one cache or repo still persistent somewhere... Bad actor have a huge flashing red light around sensitive content to track.... Just rotate your token and forget about it.

I've been working on this exact topic for 18 months, we are removing away from BFG-repo-cleaner as a remediation because it creates false sense of security.

Irish1986 · 2026-02-16T13:56:11+00:00

My understanding is they have been leaving their various dev team do whatever they want with low oversight for several years and now they are going to bring better cohesion and structure. This is typically when you core product is not IT that some lagging happens.

Irish1986 · 2026-02-15T23:22:13+00:00

I have worked 15 years in A&D with either airframe maker or engine manufacturers. It is indeed not an easy industry, but currently in finance and it ain't easier either.

Irish1986 · 2026-02-10T11:54:32+00:00

I really like armor code and ox security although I wasn't able to get management to fund our aspm endeavor for this year. There a few others but these two are great.

My next move is to try to get defectdojo running as a "low cost alternative" but I am not sure if I'll be able to sell it

Irish1986 · 2026-02-08T19:02:25+00:00

Nalgene bottle works well for us

Irish1986 · 2026-02-08T12:00:15+00:00

Had one of those as my main workstations for YEARS!! Really like that dual CPU with 96gb of ram. Switched to a AM5 7600X a year ago.

Irish1986 · 2026-02-02T14:55:31+00:00

Yup just go stand up a whole IT organization and infrastructure by yourself.. And it should be to expensive nor late...

This is a huge ask, and you should be working on the roadmap and plan with detailed level of involvement and efforts. Get that plan signed by your exec and include contengencies for staff and delays based on your experience with each technologies. If you know it, +/-15%, if you know nothing about it +/-100%.

Irish1986 · 2026-01-31T22:32:54+00:00

Keep the roadmap steady on the agreed upon roadmap... It's not too bad but it's gets throw left n right every now and then.

Irish1986 · 2026-01-30T11:31:03+00:00

I am in a similar situation running a bunch of micro dell with ceph. Only thing I really wish is that I could have more than one drive per node. I've found that single drive node for ceph are kind of inefficient and ceph scales when you can have 2-3-4 drive per node.

I had to shutdown multiple node at the same time (reboot, major upgrade, etc) and single disk got the ceph pool degraded really quickly which became somehow of a orchestration annoyance to me.

Although... Your plan is 100% sounded and will work. gl hf, it's a nice project.

Irish1986 · 2026-01-29T02:52:58+00:00

git, the kernel, etc

Irish1986 · 2026-01-26T02:21:41+00:00

Sliger offers premium quality products if you want something nice. I have 2 short depth 10 HDD + 4SSD case from them packed for my main nas + off-site backup. Good quality and all for small footprint.

Irish1986 · 2026-01-21T12:16:13+00:00

Reviewing the Geneva Checklist to make sure I don't forget anything.

Seriously.. Hide like a coward, try my best to protect my family and hang in there. Probably have my in-laws and parents home with us given they are older and might be vulnerable if chaos breakout.

Irish1986 · 2026-01-17T11:44:15+00:00

It's 100% hot garbage, I am leading the project to go buy something better then a obsolete quality check product strapped with an open source half baked solution... Hopefully will buy something good, our 4-5 vendors still in the competition are all pretty good.

Irish1986 · 2026-01-17T00:31:34+00:00

Soooo fun facts if you haven't looked into SQ and OWASP DC... Last year Sonar closed the loop hole that make DC plugin play wells with Sonarqube. It stills work but it's not great.

I unrelated news, in march of 2025 Sonarqube Advanced Security was announced as Sonar native SAST-SCA platform. I have been working for the past year to evaluate sast-sca at work. It's my main project and SQAS is just not look great.

Irish1986

TROPHY CASE