5 days ago
1
0
0
0
Posts by Eric Gallagher | SecuringTheBackbone.com
youtu.be/cInDUDS9UOc
1 month ago
1
0
0
0
www.linkedin.com/pulse/securi...
#SoftwareSupplyChain #CyberSecurity #DevSecOps #SBOM #SecuringTheBackbone
1 month ago
1
0
0
0
And no AI vulnerability scanner, however capable, fixes a foundation problem.
This week's Securing the Backbone covers why the organizations asking these questions before Claude Code Security launched are the ones best positioned to use it effectively.
Link below. 👇
1 month ago
1
0
1
0
3️⃣ Are your developers pulling packages from verified internal sources — or directly from public registries?
4️⃣ Are your security tools producing signal, or signal and noise?
If any answer is "I'm not sure" — you have a foundation problem.
1 month ago
1
0
1
0
Four questions worth asking your security team this week:
1️⃣ Do you know the provenance of every third-party package running in production?
2️⃣ If a zero-day drops in a dependency today, how fast can you identify every affected system?
1 month ago
1
0
1
0
Full breakdown in this week's Securing the Backbone. Link below. 👇
www.linkedin.com/pulse/securi...
#DevSecOps #SoftwareSupplyChain #OpenSourceSecurity #CyberSecurity
1 month ago
1
0
0
0
Advertisement
Better inputs. Cleaner scans. Faster response when it actually matters.
The organizations who understood this before last week's announcement aren't threatened by Claude Code Security. They're positioned to get more out of it than anyone else.
1 month ago
1
0
1
0
Unverified packages + unknown provenance + public registry pulls = signal and noise, and you can't tell them apart.
A curated, verified supply chain doesn't just reduce your attack surface.
It increases the signal quality of every downstream security tool you run — including the AI-powered ones.
1 month ago
0
0
1
0
Unpopular opinion: Claude Code Security made a clean software supply chain more valuable. Not less.
Here's why.
AI vulnerability scanners produce findings. A lot of them. The value of those findings depends entirely on the quality of what's being scanned.
1 month ago
1
0
1
0
This is the conversation the cybersecurity industry needs to have about AI vulnerability scanning — and it's exactly what I cover in this week's Securing the Backbone.
Link below. 👇
#SoftwareSupplyChain #AppSec #CriticalInfrastructure #SecuringTheBackbone
www.linkedin.com/pulse/securi...
1 month ago
1
0
0
0
Of course not.
Because a compromised ingredient engineered to look clean might sail right through your inspection system.
Your best protection was always knowing what came in the door before it hit the prep table.
1 month ago
1
0
1
0
You run a commercial kitchen with a world-class food safety inspection system.
It can detect contaminants faster and more accurately than any human inspector.
Question: Do you stop vetting your ingredient suppliers?
Stop requiring certificates of origin?
Stop asking for cold chain documentation?
1 month ago
1
0
1
0
Ran across this statistic today while researching AI coding trends.
As stated below, 41% of all code was AI-generated in 2025.
Engineers in the crowd... would you say this number is accurate, overstated, or understated?
#softwareengineer #AI #coding
2 months ago
1
0
0
0
Advertisement
How do you currently vet the quality of packages before they enter your environment—or do you?
#CISO #InfoSec
2 months ago
1
0
0
0
Not all packages are equal.
Some have security programs and rapid CVE response. Others haven't seen a commit in two years.
When you pull from public repos without curation, you inherit the security posture of strangers.
Choose better. Source from better.
2 months ago
0
0
1
0
If you’ve been reading my posts about starting with cleaner code, sourcing packages from managed, curated catalogs instead of the public ecosystems, the announcement below should get you pumped up 💪🔥
www.activestate.com/resources/pr...
2 months ago
1
0
0
0
When's the last time you looked at your full dependency count—not just direct, but transitive?
#CISO #InfoSec #Securingthebackbone
2 months ago
1
0
0
0
Every package you consume is a liability.
A typical app declares 50 direct dependencies. But count the transitive ones? That's 500 to 1,500.
Most organizations have no idea what's actually in their dependency trees.
You can't reduce what you can't see. Start with the audit.
2 months ago
0
0
1
0
The tactical playbook for turning down the faucet.
Check out the full issue below 👇
#CISO #InfoSec #Securingthebackbone
buff.ly/3i20XiB
2 months ago
1
0
0
0
Last week's issue of STB explained why remediation demand never drops.
This week: what to actually do about it.
Five levers, with specific action, and metrics that matter.
2 months ago
1
0
1
0
Dependency volume. Quality. Age. Sourcing. Sprawl.
These five factors determine how many vulnerabilities enter your environment.
Your remediation metrics don't measure any of them.
That's the problem.
Read more in this week's issue of STB. Link below.
securingthebackbone.com/blog/securin...
2 months ago
1
0
0
0
You can't control how many #CVE's get discovered.
You can control your exposure to them.
50,000 unmanaged packages = maximum surface area.
5,000 curated packages = structural leverage.
Same weather. Different roof.
buff.ly/QGbOTjX
2 months ago
1
0
0
0
Two ways to improve any system:
1️⃣ Handle demand faster
2️⃣ Reduce demand at the source
Most security programs have maxed out #1.
The untapped lever? #2.
New issue explores the upstream question nobody's asking. 👇
2 months ago
1
0
0
0
Advertisement
Your security team has optimized the drain. But the faucet is still running.
Backlogs shrink. Costs don't.
Because you're processing vulnerabilities faster—not reducing how many enter.
This week's Securing the Backbone: why remediation demand never drops, and what to do about it.
2 months ago
1
0
0
0
2 months ago
1
0
0
0
In this week's issue of STB, I outline The Faucet and The Drain, a common approach to open-source governance, and why it isn't optimal.
securingthebackbone.com/blog/securin...
2 months ago
1
0
1
0
