æva ( 🏳️‍⚧️🏍️ arc )

back of the napkin calculation ...
- 10^8 open source projects in the world
- 10^7 downloads *per month* for many popular projects
- 10^3 versions of each project over time
- 10^2 OSS components in the average product
--> roughly 10^20 running instances of open source software (that could have vulnerabilities)

so, yes, we're on the same order of magnitude of "a mole of CVEs"

(for those rusty on H.S. chemistry, a mole is 6.02 * 10^23 atoms)

as a digital civilization, we've reached a scale where we need to start considering software vulnerability management at the scale of molarity, and to do this, we need new ways of modeling the #cybersecurity of #opensource.

Apr 19, 2023 at 5:19pmWeb
Show threadæva ( 🏳️‍⚧️🏍️ arc )Apr 19, 2023

Drinking game for all my #RSAConf friends: find a bar next week and sing the "CVE Molarity" song. It goes like this ...

10^23 CVEs on the wall, 10^23 CVEs...
Take one down, exploit it around...
10^23 CVEs on the wall!

#badjoke #cyber #rsac