CyberSec.Cafe

Brewing Cybersecurity Insights

Category: Cybersec.cafe

An Open Letter to ENISA

April 17, 2025 / / 0 Comments

Safeguarding European Vulnerability Management

Following up on yesterday’s post, today we are publishing the full text of the open letter sent to ENISA and key European cybersecurity stakeholders.
The letter addresses the urgent need for a reliable, independent European approach to vulnerability management in light of the recent MITRE announcement (see image below).

We invite the entire cybersecurity community to read, share, and support this initiative.

Open Letter Text

Subject: Open Letter to ENISA – Ensuring European Continuity and Governance for the CVE Program

To the attention of ENISA Management and to the EUVD team,

Dear ENISA Management and EUVD Team,

As representatives of various Italian CISO communities, we would like to express our sincere concern regarding the future of the CVE (Common Vulnerabilities and Exposures) program, as indicated in the recent communication from MITRE (source: https://bsky.app/profile/tib3rius.bsky.social/post/3lmulrbygoe2g).

The CVE program has long served as a cornerstone for global vulnerability identification, tracking, and coordinated response. Any disruption to this service would significantly impact European cybersecurity, affecting national vulnerability databases, tool vendors, incident response teams, and the protection of critical infrastructure, potentially reducing our collective capacity to respond effectively.

The recent announcement of the formation of the CVE Foundation (source: https://www.thecvefoundation.org/) — in response to the end of U.S. government sponsorship — represents an important moment for the global cybersecurity community. For 25 years, the CVE Program has been the pillar of vulnerability management, yet its future would benefit from broader international support.

We respectfully invite ENISA to consider assuming a European coordination role — at least temporarily — to develop a European alternative system that preserves existing CVE data while ensuring the continuity of these essential services —potentially through the integration and further development of the EUVD platform currently in beta phase. This would represent a reliable alternative, preventing future service interruptions and granting Europe independent governance over a capability of such critical importance.

We kindly ask ENISA to help safeguard the current CVE ecosystem and, drawing on the cross-disciplinary expertise of the undersigned associations, to explore possible improvements to the system for the benefit of the entire European community.

We would also recommend that ENISA establish direct contact with MITRE to explore avenues for collaboration and support, helping ensure that Europe remains an active and reliable partner in the global vulnerability management ecosystem.

As CISOs and as members of major Italian cybersecurity associations we declare our full availability to support ENISA and MITRE in any technical, operational, or advocacy capacity required. 

We believe that Europe has an opportunity to take proactive steps to safeguard its digital resilience and avoid fragmentation. This aligns closely with the ongoing enhancements of cyber robustness and resilience promoted by multiple European directives and regulations.

We are ready to participate in any working groups, task forces, or initiatives that ENISA may wish to activate on this urgent matter.

This represents an important moment for European cybersecurity:

A coordinated response will strengthen our collective resilience and set a positive precedent for international cooperation.

We look forward to your response and remain at your disposal for further discussion.

Best regards,

Andrea Succi, creator of this initiative, on behalf of 45 Italian CISOs (or similar profiles) and of CISOs4AI https://cisos4ai.org/

Luca Moroni on behalf of CSA Cyber Security Angels https://cybersecurityangels.it/ 

Alessandro Oteri on behalf PensieroSicuro Network https://www.pensierosicuronetwork.it/

If you are interested in joining as a signatory or supporting this initiative, please let us know so we can include your name in future correspondence with ENISA.

The Future of CVE Is at Risk

April 16, 2025 / / 0 Comments

European Cybersecurity Must Take Action

Yesterday, MITRE released an urgent communication to the global cybersecurity community: the funding pathway for the CVE (Common Vulnerabilities and Exposures) program is set to expire today, April 16, 2025.

Without immediate intervention, the world’s most critical reference for vulnerability management could face a service disruption, with potentially devastating consequences for all digital ecosystems.

Why does this matter?

CVE is the backbone of vulnerability identification and coordination. Every security tool, advisory, and incident response process relies on it. As MITRE warns in their letter, a break in service would mean:

  • Deterioration of national vulnerability databases and advisories
  • Disruption for tool vendors and incident response teams
  • Increased risks for critical infrastructure across the globe

“If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure.”
— MITRE, April 15, 2025

What can we do in Europe?


As a CISO and member of the Italian and European cybersecurity community, I believe this is a wake-up call.

We cannot afford to be passive spectators. The time has come for Europe to step forward and ensure the continuity of this essential service.

Our proposal:

  • Immediate engagement with ENISA (the European Union Agency for Cybersecurity) to coordinate a European response and ensure continuity of the CVE program, even temporarily.
  • Direct contact with MITRE to offer European support and collaboration.
  • Mobilization of the CISO community and all relevant associations to advocate for a unified, proactive approach.

I am coordinating an open letter to ENISA on behalf of the Italian CISO community, calling for urgent action and offering our collective expertise and support. If you want to be part of it let me know!

How you can help:

  • Share this news to raise awareness.
  • If you are a CISO, represent an association or organization, join our initiative.
  • Let’s make our voice heard: Europe must not be left vulnerable.

You can read more here and the MITRE communication here.

This is a crucial moment for our digital future.

If you want to join or support the open letter, comment below or contact me directly. Together, we can make a difference.

Holding Software Vendors Accountable for Security Breaches

July 18, 2024 / / 0 Comments

The Case for Liability and the Hidden Costs of Security Features

A Call for Vendor Accountability

Sixteen years ago I just started my career in Information Security (cyber was not a thing yet) and I remember that Bruce Schneier, a renowned security expert, was arguing that software vendors should be held liable for the security flaws in their products. In a 2008 article, Schneier highlighted the economic inefficiencies stemming from insecure software, noting that the costs of these insecurities are unfairly borne by users and organizations rather than the vendors themselves.

Despite the passage of time, the landscape has not significantly changed. So many vendors continue to transfer (yes transfer as in a Risk Management Strategy) the risk of security breaches to their clients, leaving them to deal with the eventual fallout. Schneier’s argument remains compelling today.

By making vendors financially responsible for security breaches, we can realign incentives to prioritize secure software development. This shift is crucial in an era where data breaches are increasingly common and costly.

Something changed with the California Consumer Privacy Act back in 2018. It was a good beginning (I know it wasn’t enough but we have to start somewhere). The introduction of the Cyber Resilience Act (CRA) is another step in the right direction.

The SSO Tax: A Barrier to Security

One issue that exemplifies the misalignment of incentives in the software industry is the so-called Single Sign-On (SSO) tax. The SSO tax refers to the additional charges that software vendors impose for providing SSO functionality, a feature that enhances security by allowing users to access multiple applications with a single set of credentials. While SSO can significantly improve security and streamline user experience, many vendors place it behind expensive paywalls.
You can find some examples in the SSO Wall of Shame. Increases range from +10% to 49900%. I really like their example: “Imagine buying a car and the manufacturer asks for an extra payment to unlock 100% of the braking power. Not offering security features if they already exist in your product means a vendor doesn’t care about your security.”
Sadly, the result is that this pricing strategy not only hinders the adoption of essential security features but also exacerbates the economic burden on smaller organizations, which are often the least equipped to handle security breaches.

The Privacy by Design and Privacy by Default Principles

The European General Data Protection Regulation (GDPR) introduced 8 years ago the principles of Privacy by Design and Privacy by Default, which mandate that data protection measures should be integrated into the development of business processes and systems from the outset. In particular, Privacy by Default mandates that the highest privacy settings should be the default configuration, which includes robust authentication mechanisms.

In short, these principles aim to ensure that personal data is adequately protected throughout its lifecycle, minimizing risks and enhancing user trust.
Am I the only one seeing this, or could charging these kinds of fees for basic security features like SSO or MFA be seen as contrary to these principles?

The Cyber Resilience Act: Another Step Forward

The European Union’s Cyber Resilience Act (CRA) is a recent legislative effort aimed at improving cybersecurity for products with digital components. The CRA introduces mandatory cybersecurity requirements for manufacturers and retailers, ensuring that products are secure throughout their lifecycle. This includes harmonized rules for bringing products to market, obligations for planning, design, development, and maintenance, and a duty of care for the entire lifecycle of such products.While the CRA is a significant step in the right direction, it is not enough on its own. The Act addresses many issues, such as the low level of cybersecurity in many products and the lack of adequate security updates. However, it does not fully resolve the problem of vendor accountability. The CRA mandates that products must meet certain cybersecurity standards, but it does not go far enough in holding vendors accountable for breaches caused by their products.

Conclusion: Aligning Incentives for Better Security

The call for vendor liability in the event of security breaches is more relevant than ever.
The current economic model does not incentivize vendors to prioritize security. By imposing liability, we can ensure that vendors take the necessary steps to secure their products, ultimately benefiting consumers and the broader market. Moreover, the SSO tax and similar practices undermine the principles of Security/Privacy by Design and by Default.
In conclusion, holding vendors accountable will force them to eliminate additional costs for essential security features. This would be a critical step towards a safer digital environment.
It is time for policymakers, industry leaders, and Data Protection Authorities to create a framework that prioritizes security and fairness for all users.

Is the CIA Triad Enough for Today’s Cybersecurity Challenges?

May 2, 2024 / / 0 Comments

The Parkerian Hexad

Yesterday, the first of May, Fabrizio Cilli and I engaged in a deep discussion about the adequacy of the CIA triad in today’s cybersecurity practices, particularly in the context of AI, OT, and connected devices, where safety is a significant concern. Our conversation was sparked by a thought-provoking post, which suggested to dust off the Parkerian Hexad that foresee the addition of three dimensions to the traditional CIA Triad, emphasizing the need to expand our security models to ensure AI systems are also safe for human use.

CIA-S

Tom Cornelius’ alternative model, the CIAS, incorporates Safety into the traditional CIA Triad. This model acknowledges the limitations of the CIA Triad in the era of AI, IoT, and OT, where the safety component becomes essential for guiding risk management decisions. Also this model reflects a growing recognition that cybersecurity Risk Assessment frameworks must evolve to address the complexities of modern technology.

Different dimensions

In my humble opinion, Safety and the CIA components may indeed operate on different dimensions. A breach in integrity, for example, could have direct implications for safety, showing that these aspects are intertwined yet distinct. When considering risk, it’s clear that cyber risk and safety risk are two interlinked concerns that must be assessed together.

An integrated multidimensional Physical-Cyber security approach

Today, I had the opportunity to read Enrico Frumento’s work, which presents an integrated IT-OT assessment and governance model for improved holistic cybersecurity
This approach considers the IT and the physical world as separate with an overlap, – and this resonates with our discussion

Areas of IT-OT security. Source: Ghaznavi, 2017.

Moreover this approach also introduces the idea of evaluating a different dimension of safety, as well as another dimension of trust, which is becoming increasingly relevant in the AI field.

This leads us to a multi-layered cyber risk analysis framework, such as the one depicted in the image below. This framework calls for a comprehensive approach to cybersecurity, covering layers from the geographic and physical levels up to the government layer. Each layer represents a domain of existence and a potential vector for cyber threats, requiring a thorough analysis to secure all fronts.

Cyber-Terrain Model layers. Source: Riley, 2014.
Cyber-Terrain Model layers. Source: Riley, 2014.


Incorporating Safety and Trust into this multi-layered model is a logical step, as it allows us to address the nuanced ways in which different layers can impact human safety.

For instance, a vulnerability at the network layer could compromise the safety of an OT system, leading to real-world consequences. By adding Safety as an explicit layer or dimension to this framework, we ensure that risk analyses account for potential physical harm to individuals and society, not just data and system integrity.

Conclusion

In conclusion, while the CIA Triad has served as a foundational model for cybersecurity and has stood the test of time, the evolution of technology demands that we expand our frameworks to include Safety and Trust.

A multi-layered approach might provide a logical structure for such an expansion, ensuring that we can protect against both digital and physical threats in an increasingly interconnected world.

IS Artificial Intelligence now closer to Human Intelligence?

March 29, 2024 / / 0 Comments

My buddy Fabrizio Cilli (previously a guest on my blog) just shared this with me

Researchers have implemented an “inner monologue” to AI, enabling it to reason through problems much like humans, particularly in complex areas like math.

This innovation marks a significant leap towards bridging the gap between AI and human intelligence, promising a future where AI understands and solves problems on a deeper level. A truly groundbreaking moment in AI development!

Sources:

  • https://www.livescience.com/technology/artificial-intelligence/researchers-gave-ai-an-inner-monologue-and-it-massively-improved-its-performance
  • https://arxiv.org/pdf/2403.09629.pdfhttps://cybersec.cafe/23andme-and-us/
Italian Data Protection Authority on AI
Photo by Andrew Neel

Unraveling the Italian Data Protection Authority on AI One Year Later

March 13, 2024 / / 3 Comments

Italian DPA’s Bold Moves and the Quest for Transparency

In a follow-up to my analysis last year on the geopolitical relevance of Italy’s stance on AI regulation and its constitutional implications, recent developments have underscored the Italian Data Protection Authority’s (Garante per la protezione dei dati personali) determination to be at the forefront of AI oversight. This ambition is manifesting in tangible actions that could set a precedent for AI regulation worldwide.

The Case of SORA: A New Chapter in AI Scrutiny

Recently, the Italian DPA initiated an inquiry into SORA, OpenAI’s latest generative AI model. This move, detailed on the authority’s official website and further discussed by Federprivacy, marks a significant step in the regulatory scrutiny of AI technologies. The investigation aims to assess SORA’s compliance with data protection laws, focusing on the transparency of its operations and the potential risks it poses to user privacy.

This development is part of a broader trend where the Italian Data Protection Authority is ensuring that the deployment of advanced technologies does not compromise fundamental Privacy rights. The DPA’s proactive stance on SORA reaffirms the geopolitical relevance of Italy’s regulatory approach, highlighting its role in shaping the conversation around AI and privacy on the European stage and beyond.

Data Retention Guidelines: A Local Ambition with Global Implications

The Italian DPA’s pursuit of regulatory significance is further highlighted by its latest guidelines on the retention of email metadata within Italy. These guidelines, as elaborated in my LinkedIn post, introduce a layer of complexity for organizations striving to navigate the delicate balance between adhering to privacy protections and meeting cybersecurity obligations under the GDPR’s framework (Article 32).

To simplify, organizations are caught in a challenging position where they must juggle Italian privacy concerns with cybersecurity necessities that are essential for ensuring the broader privacy mandates of the GDPR of data are met. What a genuine headache, indeed!

In short, something went wrong but commendably the DPA acknowledged the issues and opened to dialogue on the guidelines and opened a consultation.

Transparency: The Non-Negotiable Requirement

Given the hiccup with the Data Retention Guidelines, I am particularly encouraged by the DPA’s recognition of the importance of transparency. This acknowledgment shows they have done their homework in understanding how generative AI models operate.

The “black box” nature of most generative AI systems, including SORA, poses significant challenges to accountability and trust. However, in the case of a “black box” model, you cannot demand accountability due to its reliance on deep learning and transformer architectures that identify patterns in training data not evident through traditional statistical methodologies. Instead, the focus must be on transparency.

The Italian DPA’s request on transparency is thus not just a regulatory preference but a fundamental requirement to evaluate generative AI alignment with ethical standards and respect for individual rights.

Strategic Timing: The AI Act Context

In an intriguing twist of timing, the Italian DPA’s recent initiatives, particularly the inquiry into SORA and the issuance of the data retention guidelines, coincide with a pivotal moment in the broader regulatory landscape—the approval of the world’s first major act to regulate AI by European lawmakers.

Is this timing merely coincidental or it highlights the proactive stance of the Italian authority in aligning with and potentially influencing the evolving European regulatory framework for AI?

Conclusion

As we navigate the complexities of integrating AI into societal frameworks, the Italian Data Protection Authority (Garante) reaffirms its ambition to be a significant player on the global privacy and AI regulation chessboard. These commendable efforts are crucial for ensuring that advancements in AI technology are beneficial and equitable for everyone.

The strategic timing of the DPA’s initiatives, particularly in light of the recently approved AI Act by European lawmakers, is far from coincidental. It underscores the Garante’s proactive stance and its potential influence on the evolving European regulatory framework for AI. By moving forward with its initiatives at such a critical juncture, the Italian DPA not only aligns with but also champions the principles the AI Act seeks to uphold, positioning Italy as a frontrunner in the practical implementation of these emerging standards.

As the global community watches, the balance between innovation and individual rights remains delicate. The Italian DPA’s actions serve as a model for navigating this balance, offering valuable insights for others to consider. The future of AI regulation is indeed unfolding before us, with Italy leading the charge towards a future where transparency is not just valued but is seen as an indispensable component of technological advancement.

Exciting Collaborations on the Horizon: Gear Up for Cyber Insights!

Exciting Collaborations on the Horizon: Gear Up for Cyber Insights!

February 19, 2024 / / 2 Comments

Greetings, fellow cyber enthusiast! I’m back!

For those who missed me the reason is to be ascribed to my recent job change.

I’m thrilled to announce that in the next months I will be speaker to a couple of interesting events in Milan. The next one is the 12th of March and of course I’ll talk about AI Cybersecurity.

Back to the main news: in just a few days, I’ll be embarking on a series of captivating collaborations with some esteemed minds in the cybersecurity field in Cybersec.cafe and I’ll be guest of another blog that will be revealed in due time.

Buckle up, because we’re diving deep into valuable insights you won’t want to miss. While I can’t reveal all the surprises just yet, let me assure you that these partnerships will bring together diverse perspectives and a wealth of experience. We’ll be tackling some pressing issues in the world of cyber.

The next guest will be Fabrizio Cilli and he will discuss the 23andMe breach and its implications in terms of shared responsibility in cybersecurity – sorry I won’t disclose more as spoiler is a capital crime nowadays but trust me, you won’t want to miss this!

Stay tuned for further details future announcements.

See you soon!

P.S. Want to be the first to know when the collaborations kick off? Follow me on linkedin and keep an eye out for updates!

Unveiling the OWASP Top 10 for Large Language Models

Unveiling the OWASP Top 10 for Large Language Models

July 31, 2023 / / 0 Comments

I am proud to announce the release of the OWASP Top 10 for Large Language Models (LLM) Applications.

This noteworthy initiative, to which I’ve contributed, is dedicated to outlining a list of vulnerabilities specifically applicable to applications leveraging LLMs.

This document, developed under the umbrella of the OWASP Foundation, targets developers, security experts, and even citizen developers who are building applications using LLM technologies. It aims to provide them with actionable, practical, and concise security guidance.

While acknowledging the potential vulnerabilities inherent to LLMs, this Top 10 guide dives deep into each security risk, discussing their potential impacts, their prevalence, and offering effective mitigation strategies. Each risk is ranked based on its exploitability, prevalence, detectability, and potential harm, providing a comprehensive understanding of the LLM application security landscape.

As a contributor to this significant initiative, I’m extending my heartfelt appreciation to my fellow contributors and the entire OWASP community.

This project could not have been possible without the invaluable expertise and relentless dedication of nearly 475 professionals.

I invite everyone to delve into, share, and apply the OWASP LLM Applications Top 10 in your AI ventures. Let’s ensure the secure and robust deployment of applications that include LLMs.

Here is the link: https://owasp.org/www-project-top-10-for-large-language-model-applications/

© 2025 CyberSec.Cafe