{"id":4371,"date":"2026-04-28T09:00:00","date_gmt":"2026-04-28T09:00:00","guid":{"rendered":"https:\/\/samjwatkins.com\/blog\/?p=4371"},"modified":"2026-04-22T12:41:07","modified_gmt":"2026-04-22T12:41:07","slug":"understanding-cyber-risk","status":"publish","type":"post","link":"https:\/\/samjwatkins.com\/blog\/?p=4371","title":{"rendered":"Understanding and managing cyber risk."},"content":{"rendered":"\n

I have spent the past four years of my career helping teams understand their cyber risk.<\/p>\n\n\n\n

I would say, first and foremost, many of the established ways of doing business fundamentally introduce vulnerabilities into code.<\/p>\n\n\n\n

I love open source, but there are libraries I do not touch because I only “need” a couple of functions and the remainder of the library is just not well written – but many of the cyber scanners will report you have risks that are not appropriate for you. Which then needs to be analysed.<\/p>\n\n\n\n

It’s noise. Many firms are losing personel too, which is going to amplify the impacts we’re seeing.<\/p>\n\n\n\n

I’m starting a few projects to see what the market is interested in, and I have to say, I am not keen on using an AI that suggests doing things using insecure libraries. Because I am looking at doing stand-alone tool on Android, why would I use anything that isn’t part of the core languages I am using?<\/p>\n\n\n\n

I am starting as a sole trader, as soon as I register my company. Why would I make my life harder by using libraries that are not really well written?<\/p>\n\n\n\n

How can I tell?<\/h2>\n\n\n\n

This is a really good question, and many people will point to open licensed versions of the big scanners, things like SCA or source composition analysis (for analysing those open source vulnerabilities) or SAST (static application security testing) tools which analyse your own code.<\/p>\n\n\n\n

SCA in big companies is really important, but if you are doing something novel, your design should include some basic checks. My main server is using Tomcat, so I can physically go and look up this component here: https:\/\/www.cvedetails.com\/version\/2036048\/Apache-Tomcat-10.1.48.html<\/a>. When I am writing this, this version has no known issues found against it.<\/p>\n\n\n\n

I make the choice to use a library, I can go and look that up. Including a linux tool, most of those are in here. Each vulnerability is looked at in terms of how the exploit is leveraged, so if you really cannot upgrade the library, toolset, or function, you can quickly decide how the mitigation is going to be made.<\/p>\n\n\n\n

Such practices allow code to be maintained. Some of my code is over 30 years old now, and still works. I keep my code lean.<\/p>\n\n\n\n

Key questions.<\/h2>\n\n\n\n

If you are using a library from somewhere else, what appetite do the manufacturers have to look after the code? How often do they review what is in that library or toolset? How are releases made?<\/p>\n\n\n\n

Should you own some of the functions after a while? Open source is great for getting you going, but actually, if you are using a tiny subset of the library in question, should you edit out what you need?<\/p>\n\n\n\n

Are you updating your languages often? Can you automate that update and regression testing? Do you have testing and development areas so you can do that with a “if it all passes, go straight to live” mentality?<\/p>\n\n\n\n

If not, is it being flagged to the appropriate people to say things are not working? Are those tests failing supported by error handling with allows those people to go straight into the functions in question, to make debugging easy?<\/p>\n\n\n\n

Do you have designs that allow deep debugging without much head scratching? UML is ideal for this: I love an object design that includes the lirbaries in question.<\/p>\n\n\n\n

Isn’t this all a lot of effort?<\/h2>\n\n\n\n

Yes, but if you are doing things properly, shouldn’t it be effort?<\/p>\n\n\n\n

What about if you haven’t done enough?<\/h2>\n\n\n\n

I formed my company on the 1st March 2026. I produced a company website, running on my existing infrastructure. But on the 18th March, my home website was attacked by a sustained distributed denial of service attack (aka DDOS).<\/p>\n\n\n\n

Because my site is engineered for resilience, it only affected two of the services I offer. Logging helped me identify what was going on. Because this is not my area of expertise, I did reach out to Claude to help me configure the services beyond what was already in place.<\/p>\n\n\n\n

Within 3 hours I had a solution and, more importantly, was able to re-establish provision of service. I think that is slow, but would have taken me longer without that access to approaches and techniques.<\/p>\n\n\n\n

But it highlit that actually, such tools, like people, do not work well without breaks. The models found difficultly reshaping their reasoning based on new facts after ninety minutes or so.<\/p>\n\n\n\n

The good thing was the tools I approached looked at the underlying architecture, but this probably missed some avenues accessible from the tools being impacted.<\/p>\n\n\n\n

Why were you attached?<\/h2>\n\n\n\n

Always an interesting question, but I think this was a webcrawler looking for holes across the internet. I had 2 million hits per hour. That’s not a targetted hit, that’s a “I’ve found a weakness, I’m having some fun”.<\/p>\n\n\n\n

The security fixes I have put in were only possible because I was fully patched. Otherwise, I would have had to fully patch first, then apply the fixes after that.<\/p>\n\n\n\n

Many systems do not come “pre-hardened”. Documentation can be difficult to find, without seeking it out. Maybe tools like Claude.ai and Gemini would help people to do that.<\/p>\n\n\n\n

Of course, some people are using such tools to find exploits. Tools like chat bots have allowed queries to be much more effective without specialist knowledge!<\/p>\n\n\n\n

But the opportunity is there to enable you make your environments safer and more resilient to attack.<\/p>\n","protected":false},"excerpt":{"rendered":"

I have spent the past four years of my career helping teams understand their cyber risk. I would say, first and foremost, many of the established ways of doing business fundamentally introduce vulnerabilities into code. I love open source, but there are libraries I do not touch because I only “need” a couple of functions […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,4],"tags":[],"class_list":["post-4371","post","type-post","status-publish","format-standard","hentry","category-forty-two","category-work"],"yoast_head":"\nUnderstanding and managing cyber risk. - Finding the chase and cutting to it<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/samjwatkins.com\/blog\/?p=4371\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Understanding and managing cyber risk. - Finding the chase and cutting to it\" \/>\n<meta property=\"og:description\" content=\"I have spent the past four years of my career helping teams understand their cyber risk. I would say, first and foremost, many of the established ways of doing business fundamentally introduce vulnerabilities into code. I love open source, but there are libraries I do not touch because I only “need” a couple of functions […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/samjwatkins.com\/blog\/?p=4371\" \/>\n<meta property=\"og:site_name\" content=\"Finding the chase and cutting to it\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-28T09:00:00+00:00\" \/>\n<meta name=\"author\" content=\"Sam J Watkins\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Sam J Watkins\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/samjwatkins.com\/blog\/?p=4371#article\",\"isPartOf\":{\"@id\":\"https:\/\/samjwatkins.com\/blog\/?p=4371\"},\"author\":{\"name\":\"Sam J Watkins\",\"@id\":\"https:\/\/samjwatkins.com\/blog\/#\/schema\/person\/b001c9aecccd284b29f0d69e10c68af5\"},\"headline\":\"Understanding and managing cyber risk.\",\"datePublished\":\"2026-04-28T09:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/samjwatkins.com\/blog\/?p=4371\"},\"wordCount\":933,\"commentCount\":0,\"articleSection\":[\"42\",\"Work\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/samjwatkins.com\/blog\/?p=4371#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/samjwatkins.com\/blog\/?p=4371\",\"url\":\"https:\/\/samjwatkins.com\/blog\/?p=4371\",\"name\":\"Understanding and managing cyber risk. - Finding the chase and cutting to it\",\"isPartOf\":{\"@id\":\"https:\/\/samjwatkins.com\/blog\/#website\"},\"datePublished\":\"2026-04-28T09:00:00+00:00\",\"author\":{\"@id\":\"https:\/\/samjwatkins.com\/blog\/#\/schema\/person\/b001c9aecccd284b29f0d69e10c68af5\"},\"breadcrumb\":{\"@id\":\"https:\/\/samjwatkins.com\/blog\/?p=4371#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/samjwatkins.com\/blog\/?p=4371\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/samjwatkins.com\/blog\/?p=4371#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/samjwatkins.com\/blog\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Understanding and managing cyber risk.\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/samjwatkins.com\/blog\/#website\",\"url\":\"https:\/\/samjwatkins.com\/blog\/\",\"name\":\"Finding the chase and cutting to it\",\"description\":\"A collection of thoughts, reactions and general comment\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/samjwatkins.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/samjwatkins.com\/blog\/#\/schema\/person\/b001c9aecccd284b29f0d69e10c68af5\",\"name\":\"Sam J Watkins\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/samjwatkins.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f17b5fe5ce9452eabf02f5a3336a2b0904c97885f140575db0a5fbb4188f136c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f17b5fe5ce9452eabf02f5a3336a2b0904c97885f140575db0a5fbb4188f136c?s=96&d=mm&r=g\",\"caption\":\"Sam J Watkins\"},\"description\":\"https:\/\/www.linkedin.com\/in\/sam-watkins-6564311\/\",\"sameAs\":[\"http:\/\/samjwatkins.com\"],\"url\":\"https:\/\/samjwatkins.com\/blog\/?author=2\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Understanding and managing cyber risk. - Finding the chase and cutting to it","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/samjwatkins.com\/blog\/?p=4371","og_locale":"en_GB","og_type":"article","og_title":"Understanding and managing cyber risk. - Finding the chase and cutting to it","og_description":"I have spent the past four years of my career helping teams understand their cyber risk. I would say, first and foremost, many of the established ways of doing business fundamentally introduce vulnerabilities into code. I love open source, but there are libraries I do not touch because I only “need” a couple of functions […]","og_url":"https:\/\/samjwatkins.com\/blog\/?p=4371","og_site_name":"Finding the chase and cutting to it","article_published_time":"2026-04-28T09:00:00+00:00","author":"Sam J Watkins","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Sam J Watkins","Estimated reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/samjwatkins.com\/blog\/?p=4371#article","isPartOf":{"@id":"https:\/\/samjwatkins.com\/blog\/?p=4371"},"author":{"name":"Sam J Watkins","@id":"https:\/\/samjwatkins.com\/blog\/#\/schema\/person\/b001c9aecccd284b29f0d69e10c68af5"},"headline":"Understanding and managing cyber risk.","datePublished":"2026-04-28T09:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/samjwatkins.com\/blog\/?p=4371"},"wordCount":933,"commentCount":0,"articleSection":["42","Work"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/samjwatkins.com\/blog\/?p=4371#respond"]}]},{"@type":"WebPage","@id":"https:\/\/samjwatkins.com\/blog\/?p=4371","url":"https:\/\/samjwatkins.com\/blog\/?p=4371","name":"Understanding and managing cyber risk. - Finding the chase and cutting to it","isPartOf":{"@id":"https:\/\/samjwatkins.com\/blog\/#website"},"datePublished":"2026-04-28T09:00:00+00:00","author":{"@id":"https:\/\/samjwatkins.com\/blog\/#\/schema\/person\/b001c9aecccd284b29f0d69e10c68af5"},"breadcrumb":{"@id":"https:\/\/samjwatkins.com\/blog\/?p=4371#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/samjwatkins.com\/blog\/?p=4371"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/samjwatkins.com\/blog\/?p=4371#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/samjwatkins.com\/blog"},{"@type":"ListItem","position":2,"name":"Understanding and managing cyber risk."}]},{"@type":"WebSite","@id":"https:\/\/samjwatkins.com\/blog\/#website","url":"https:\/\/samjwatkins.com\/blog\/","name":"Finding the chase and cutting to it","description":"A collection of thoughts, reactions and general comment","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/samjwatkins.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Person","@id":"https:\/\/samjwatkins.com\/blog\/#\/schema\/person\/b001c9aecccd284b29f0d69e10c68af5","name":"Sam J Watkins","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/samjwatkins.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f17b5fe5ce9452eabf02f5a3336a2b0904c97885f140575db0a5fbb4188f136c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17b5fe5ce9452eabf02f5a3336a2b0904c97885f140575db0a5fbb4188f136c?s=96&d=mm&r=g","caption":"Sam J Watkins"},"description":"https:\/\/www.linkedin.com\/in\/sam-watkins-6564311\/","sameAs":["http:\/\/samjwatkins.com"],"url":"https:\/\/samjwatkins.com\/blog\/?author=2"}]}},"_links":{"self":[{"href":"https:\/\/samjwatkins.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4371","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/samjwatkins.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/samjwatkins.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/samjwatkins.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/samjwatkins.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4371"}],"version-history":[{"count":11,"href":"https:\/\/samjwatkins.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4371\/revisions"}],"predecessor-version":[{"id":4675,"href":"https:\/\/samjwatkins.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/4371\/revisions\/4675"}],"wp:attachment":[{"href":"https:\/\/samjwatkins.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4371"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/samjwatkins.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4371"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/samjwatkins.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4371"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}