
Dear Sloan,
Sloan provides advice on the topics of software security, devops, devsecops, and more. When you need advice, encouragement, want to share your thoughts or questions, just ask Sloan by posting your question in the comment box below. Together, we’ll make cyber a safer space.
- New to Software Security Framework in NairobiHi Sloan, I am a long time reader, first time writer! I have a question for you about how implementing a software security framework relates to our software supply chain. … Read more
- Rough Security Reviews in RoanokeHey Sloan, I’m an Application Security Manager at a mid-size company. About a year ago, my company adopted DevOps practices, with hopes for more frequent releases and getting a better … Read more
- Software Composition Analysis-Curious in ShreveportDear Sloan,By now, most everyone is aware of the 2021 Cybersecurity Executive Order signed by President Biden. Since then, I’ve been hearing a lot about “software composition analysis”, which seems … Read more
- Hiring Challenges in HanoiDear Sloan, As part of my role in HR, I’ve recently been tasked with finding an experienced DevOps Engineer to join the small, fully remote development team within my organization. … Read more
- Cybersecurity: Top Five Tips in TillamookDear Sloan, Your advice articles are great, and your recent articles about the risks of using open source software (OSS) were very helpful. Sloan, could you please share your top … Read more
- Nervous About the National Cybersecurity Strategy in NantucketDear Sloan, I’m seeing a lot in the news about the National Cybersecurity Strategy rolled out by the federal government. While news sources have provided an overview of what it … Read more
- Tangled Up in Transitive DependenciesDear Sloan, I just started a new job, and my first priority is to reduce our project vulnerabilities. When I investigated, I found that our most severe vulnerabilities are due … Read more
- Making Progress on Dependency Management in ManilaDear Sloan, I’m a newer developer, and am experiencing the dreaded “dependency hell” for the first time. My team is starting to manage dependencies better, but I would love some … Read more
- Contributor Wannabe in CairoDear Sloan, I’ve recently graduated from university with a degree in Software Engineering. I have spent the better part of the last six or so years learning about open-source software … Read more
- Bothered by BrandjackingHey Sloan, You may remember when I wrote to you about typosquatting a few months ago? Your article helped me a lot, and I read up on the most recent … Read more
- Software Supply Chain Query from São PauloHello Sloan,My peers sometimes talk about the “software supply chain” or our “supply chain management.” I’m a programmer and don’t really get the connection of supply chains to our work. … Read more
- Terrified of TyposquattingDear Sloan, I’m a developer who works with a lot of open source software (OSS), and another developer told me to look out for typosquatting attacks. Is that a type … Read more
- Distressed over OSS in InvernessDear Sloan, I started a new job with a software development company at the end of last year. I work in HR but am in a physical workspace with the … Read more
- Containers Crash Course Needed in Cape TownHello Sloan, I just started a new job and everyone at my new company loves using containers. I am familiar with the concept on a basic level, but can you … Read more
- Hashes, Hashes, We all Fall DownHi Sloan, I’ve always relied on hashes to identify threats across our network. We recently hired a new security engineer who insists relying on hashes isn’t enough. Who’s right here? … Read more
- Zero-Day Doom and GloomHi Sloan,When recent vulnerabilities like log4j and Spring4Shell were first reported, I heard them described with the words “zero-day”. It sounds pretty dark, like the beginning of the zombie apocalypse … Read more
- Agile and DevOps – Puzzled In PittsburghDear Sloan, Agile and DevOps – Are they the same thing? My company calls itself Agile, but my bosses tell me that we’re “DevOps.” Are we both? Neither? Is this … Read more
- Lost on Open Source Licenses in Los AngelesDear Sloan, I was told that an open source license for one of my OSS components that I am using in a work project is “too restrictive” and that I … Read more
- Cybersecurity and SBOMs – I’m Stumped in SeattleDear Sloan, What’s an SBOM? Is it part of cybersecurity? I hear people at work talking about this, and I’m afraid to ask. I am stumped, I don’t want to … Read more
- Open Source Software: To be, or Not to be Free?Dear Sloan, I’m an experienced project manager, who recently took a job in technology. Coming from the healthcare industry, I have a lot to learn about all of the terminology … Read more
- Malware – Malicious Apps in AnnapolisDear Sloan, I have heard much about malware, malicious apps being secretly installed on my devices. Is it safe for me to assume that if I download an app from … Read more
- Dependency Confusion – I’m Dazed and ConfusedDear Sloan, I am confused about dependency confusion attacks. I’m dreading the topic of dependency hijacking. I’m also not good with namespace confusion? And I’m in a real tizzy about … Read more
- Shift Left Left Me Up Schitt’s Creek – Help!Dear Sloan, I’m up Schitt’s Creek without a paddle, and I don’t know what to do. My leadership team told me to get the team to shift left. What is … Read more

- New to Software Security Framework in Nairobi
- Rough Security Reviews in Roanoke
- Software Composition Analysis-Curious in Shreveport
- Hiring Challenges in Hanoi
- Cybersecurity: Top Five Tips in Tillamook
- Nervous About the National Cybersecurity Strategy in Nantucket
- Tangled Up in Transitive Dependencies
- Making Progress on Dependency Management in Manila
- Contributor Wannabe in Cairo
- Bothered by Brandjacking
- Software Supply Chain Query from São Paulo
- Terrified of Typosquatting
- Distressed over OSS in Inverness
- Containers Crash Course Needed in Cape Town
- Hashes, Hashes, We all Fall Down
- Zero-Day Doom and Gloom
- Agile and DevOps – Puzzled In Pittsburgh
- Lost on Open Source Licenses in Los Angeles
- Cybersecurity and SBOMs – I’m Stumped in Seattle
- Open Source Software: To be, or Not to be Free?
- Malware – Malicious Apps in Annapolis
- Dependency Confusion – I’m Dazed and Confused
- Shift Left Left Me Up Schitt’s Creek – Help!


Open Source Software Licenses – What You Need To Know
Better navigate the complex world of Open Source Software (OSS) license terms.
Introduction to DevSecOps
Build a foundation of knowledge around “DevSecOps” and better understand how it can benefit you and your organization.