Software Security? Ask Sloan

Dear Sloan,

Sloan provides advice on the topics of software security, devops, devsecops, and more. When you need advice, encouragement, want to share your thoughts or questions, just ask Sloan by posting your question in the comment box below. Together, we’ll make cyber a safer space.

New to Software Security Framework in NairobiSeptember 4, 2023
Hi Sloan, I am a long time reader, first time writer! I have a question for you about how implementing a software security framework relates to our software supply chain. … Read more
Rough Security Reviews in RoanokeAugust 2, 2023
Hey Sloan, I’m an Application Security Manager at a mid-size company. About a year ago, my company adopted DevOps practices, with hopes for more frequent releases and getting a better … Read more
Software Composition Analysis-Curious in ShreveportJuly 5, 2023
Dear Sloan,By now, most everyone is aware of the 2021 Cybersecurity Executive Order signed by President Biden. Since then, I’ve been hearing a lot about “software composition analysis”, which seems … Read more
Hiring Challenges in HanoiJune 2, 2023
Dear Sloan, As part of my role in HR, I’ve recently been tasked with finding an experienced DevOps Engineer to join the small, fully remote development team within my organization. … Read more
Cybersecurity: Top Five Tips in TillamookMay 2, 2023
Dear Sloan, Your advice articles are great, and your recent articles about the risks of using open source software (OSS) were very helpful. Sloan, could you please share your top … Read more
Nervous About the National Cybersecurity Strategy in NantucketApril 6, 2023
Dear Sloan, I’m seeing a lot in the news about the National Cybersecurity Strategy rolled out by the federal government. While news sources have provided an overview of what it … Read more
Tangled Up in Transitive DependenciesMarch 1, 2023
Dear Sloan, I just started a new job, and my first priority is to reduce our project vulnerabilities. When I investigated, I found that our most severe vulnerabilities are due … Read more
Making Progress on Dependency Management in ManilaFebruary 1, 2023
Dear Sloan, I’m a newer developer, and am experiencing the dreaded “dependency hell” for the first time. My team is starting to manage dependencies better, but I would love some … Read more
Contributor Wannabe in CairoJanuary 9, 2023
Dear Sloan, I’ve recently graduated from university with a degree in Software Engineering. I have spent the better part of the last six or so years learning about open-source software … Read more
Bothered by BrandjackingDecember 5, 2022
Hey Sloan, You may remember when I wrote to you about typosquatting a few months ago? Your article helped me a lot, and I read up on the most recent … Read more
Software Supply Chain Query from São PauloOctober 19, 2022
Hello Sloan,My peers sometimes talk about the “software supply chain” or our “supply chain management.” I’m a programmer and don’t really get the connection of supply chains to our work. … Read more
Terrified of TyposquattingSeptember 6, 2022
Dear Sloan, I’m a developer who works with a lot of open source software (OSS), and another developer told me to look out for typosquatting attacks. Is that a type … Read more
Distressed over OSS in InvernessAugust 9, 2022
Dear Sloan, I started a new job with a software development company at the end of last year. I work in HR but am in a physical workspace with the … Read more
Containers Crash Course Needed in Cape TownJune 10, 2022
Hello Sloan, I just started a new job and everyone at my new company loves using containers. I am familiar with the concept on a basic level, but can you … Read more
Hashes, Hashes, We all Fall DownMay 20, 2022
Hi Sloan, I’ve always relied on hashes to identify threats across our network. We recently hired a new security engineer who insists relying on hashes isn’t enough. Who’s right here? … Read more
Zero-Day Doom and GloomMay 2, 2022
Hi Sloan,When recent vulnerabilities like log4j and Spring4Shell were first reported, I heard them described with the words “zero-day”. It sounds pretty dark, like the beginning of the zombie apocalypse … Read more
Agile and DevOps – Puzzled In PittsburghApril 15, 2022
Dear Sloan, Agile and DevOps – Are they the same thing? My company calls itself Agile, but my bosses tell me that we’re “DevOps.” Are we both? Neither? Is this … Read more
Lost on Open Source Licenses in Los AngelesApril 5, 2022
Dear Sloan, I was told that an open source license for one of my OSS components that I am using in a work project is “too restrictive” and that I … Read more
Cybersecurity and SBOMs – I’m Stumped in SeattleMarch 2, 2022
Dear Sloan, What’s an SBOM? Is it part of cybersecurity? I hear people at work talking about this, and I’m afraid to ask. I am stumped, I don’t want to … Read more
Open Source Software: To be, or Not to be Free?February 22, 2022
Dear Sloan, I’m an experienced project manager, who recently took a job in technology. Coming from the healthcare industry, I have a lot to learn about all of the terminology … Read more
Malware – Malicious Apps in AnnapolisJanuary 30, 2022
Dear Sloan, I have heard much about malware, malicious apps being secretly installed on my devices. Is it safe for me to assume that if I download an app from … Read more
Dependency Confusion – I’m Dazed and ConfusedJanuary 24, 2022
Dear Sloan, I am confused about dependency confusion attacks. I’m dreading the topic of dependency hijacking. I’m also not good with namespace confusion? And I’m in a real tizzy about … Read more
Shift Left Left Me Up Schitt’s Creek – Help!January 10, 2022
Dear Sloan, I’m up Schitt’s Creek without a paddle, and I don’t know what to do. My leadership team told me to get the team to shift left. What is … Read more