Dark reading seems to be hit and miss, but this piece about #cloud #security is a hit (esp. #4)!
1. You don't become more secure just by going to the cloud
2. Native security controls are hard to manage in a hybrid world
3. Identity won't save your cloud
4. Too many firms don't know what they're trying to protect
5. Cloud-native development incentives are out of whack
Later, at that same URL, is a crap article on SBOMs. The author either ignores, or is oblivious to, the fact that attackers have been checking for vulnerable dependencies for decades.
If he has been pen testing for 20 years, he should certainly know this. He should also know that defenders are less likely to put in this same level of effort on tracking down libraries. I don't mean that in a disparaging way to the defenders out there. They're relying on the developers to do this work because the developers are the ones who can actually fix the issue. All the blue team (operations) can do is report it to the devs and try to mitigate it in the meantime. So it makes sense defenders wouldn't be spending their time this way. Devs should be, and if SBOMs become a requirement (de facto or otherwise), they will be.
Making it easier to make this determination with #SBOMs will benefit #attackers, but it will benefit #defenders more.
