Randy and Don discuss an item ripped from the headlines: What should a technical manager do about the recent Meltdown and Spectre exploits? They move into the CTO modes of research, understanding, translation, preparation, upgrading, monitoring, and, most of all, not freaking out. Randy requests a bobblehead or plush toy of the Spectre logo.
- Ripped from the headlines: Part of Randy and Don's week was dealing with Meltdown and Spectre vulnerabilities.
- What is a CTO or technical manager supposed to do when big-name vulnerabilities hit the press?
- Try not to be the smartest person you know or you're doomed to have all problems brought to you.
- Start with research!
- Good and bad sources for information.
- A CTO must be able explain the technical details at a business level to stakeholders.
- Randy mentions that these problems were being worked on months ago.
- If you have a laptop on your desk with Windows, you've outsourced a level of security to a big provider.
- It's ok to admit you don't have all the information right this minute.
- You should tell people to avoid new websites, downloads, and updates on your own, until later.
- There are security consultants that can take a big load of work off firms, for a price.
- A tactic for reducing anxiety: A crib sheet of all technologies (and contact numbers) used by the firm in the event of issues.
- Randy wants a Meltdown and Spectre bobblehead. Don promises to get him one.
- Official Meltdown and Spectre Websites: https://meltdownattack.com
- Amazon Web Services: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
- Intel: https://newsroom.intel.com/news/intel-responds-to-security-research-findings/
- Ars Technica: https://arstechnica.com/gadgets/2018/01/whats-behind-the-intel-design-flaw-forcing-numerous-patches/
- Apple: https://support.apple.com/en-us/HT208394
- Rendition Infosec: https://www.renditioninfosec.com/2018/01/meltdown-and-sceptre-enterprise-action-plan/
- Ruby Security Google Group
- Rails Security Google Group
- Snyk – Subscription may be required
- Gemnasium – Subscription may be required
- National Vulnerability Database
- CVE Details
- Focal Point - company that provides security audits for Don
- Google Chrome: Security on Chrome
Thanks for listening to the CTO Think Podcast. If you liked what you heard, please share a link to the podcast with your friends.
Reviews on iTunes are always appreciated and help us spread the word about the podcast.
Shownotes and previous episodes can be found on our website at www.ctothink.com
For questions, comments, or things you'd like to hear on future shows, please email us at email@example.com
For notifications of future episodes, please sign up to the CTO Think newsletter on www.ctothink.com
We'll keep talking next week!