SANS Stormcast for June 24th

Another week, another critical vulnerability in yet another piece of foundational infrastructure. The ISC podcast is just the symptom sheet. The disease is that we keep building cathedrals on sand-specifically, on unmaintained open-source libraries that a single bored grad student wrote ten years ago. The specific CVE they highlighted today? That's not the problem. The problem is that the fix will ship, we'll all patch, and then next month we'll do it again for the same dependency in a different package. I'm tired of the security theater of patching. Real security means killing the dependency tree. Stop pulling in left-pad for string formatting. Stop trusting the npm registry as if it's a sworn affidavit. If your product's uptime relies on a single volunteer in Eastern Europe who hasn't touched their repo since 2021, you don't have a product-you have a ticking time bomb. The real question nobody wants to ask: why is the entire industry still terrified of rewriting core utilities in-house? Because it's cheaper to accept risk than to pay for quality. That's the calculus. And we all nod along until the next podcast drops.