Infosec is still figuring out useful metrics, how to talk about risk, and how to make resilience more relevant. Shannon talks about a new community effort to measure software trust. She also covers threat modeling and adversary management as steps towards determining an org's resiliency and security.
Segment resources:
software trust
Security researchers say companies don’t revoke API keys lightly and point out that invalidating the API keys could shut down all system that rely on those APIs.
NPM is being subjected to a new ongoing attack with a novel execution chain involving package pairs that work together to facilitate additional resource retrieval and execution.
Two XSS vulns via postMessage methods in Azure, how to choose (and move on from) a web research topic, OpenSSF finances a security developer-in-residence for Python, more infosec myths, free cybersecurity training resources
Aqua Nautilus says once an attacker exploits a repository on GitHub, it could lead to code execution on an internal environment or on a customer’s systems.