r/zerotrust

Is “patch faster” enough if sensitive services remain reachable by default?
▲ 3 r/zerotrust+1 crossposts

Is “patch faster” enough if sensitive services remain reachable by default?

We’ve been discussing in the Cloud Security Alliance Zero Trust group how AI-speed vulnerability discovery changes Zero Trust implementation. Time-to-exploit trends suggest defenders have less time to patch exposed services, and CISA’s risk-based remediation approach treats public exposure as a major factor in urgency.

That made me think the architectural question is not only “how do we patch faster?” but also:

Why are so many sensitive services reachable by default in the first place?

My view is that Zero Trust needs to move beyond perimeter/ZTNA framing and focus more on reducing reachability before connection. For private services, admin paths, APIs, workload paths, partner access, and agentic workflows, the safer default should be: no service path exists unless identity, policy, posture/context, and session state allow it.

I wrote this up for CSA here:
https://cloudsecurityalliance.org/blog/2026/07/02/ai-speed-risk-requires-identity-defined-reachability

Disclosure: I’m the author and co-lead CSA’s Zero Trust Networking workstream, so I’m obviously close to the argument. I’m interested in practitioner pushback: is this realistic in enterprise environments, or does it break down with legacy apps, hybrid routing, OT, troubleshooting, or policy operations?

u/PhilipLGriffiths88 — 4 days ago

Applying Zero Trust to Code Analysis: Why I don't trust manifests, file extensions, or you

Hey everyone. I'm an outsider here, but to embrace the spirit of this sub: I don't trust you, and I assume you don't trust me.

I don't trust my dependencies, I don't trust hallucination-prone LLMs, and I don't trust brittle ASTs (Abstract Syntax Trees) that break if the code doesn't perfectly compile.

The problem with modern static analysis is that we blindly trust what a repository claims to be. We take manifest files (like package.json or pom.xml) at face value. We trust that a file ending in .md, .csv, or .json is actually inert text.

That isn't Zero Trust. Taking a manifest at its word leaves your pipeline completely vulnerable to dependency confusion, typosquatting, or spoofed packages.

If we apply true Zero Trust to a codebase, file identities must be confirmed with different levels of evidence. If a file claims to be a plaintext document, we shouldn't just trust the extension. We need to physically verify its identity—looking at execution shebangs, magic bytes, or the presence of specific executable keywords—to prove it's not a disguised shell script or payload.

Manifests should be treated as mere "claims of intent." Their claims must be physically verified against the actual binaries downloaded to the disk before they are allowed to execute.

I wanted something fast enough to scan every PR in full, and to be able to scan every single codebase I download before I ever run it. Because ASTs and LLMs couldn't do this at scale, I built my own open-source zero-trust code scanner. It's on one of the code versioning sites, I'll trust you to figure out the rest.

reddit.com
u/Chunky_cold_mandala — 6 days ago

Any honest reviews of a SASE platform that can actually replace VPN + SD‑WAN?

We’re looking at a major refresh moment: remote access VPN that’s long in the tooth, a WAN that mixes MPLS and random tunnels, and security controls built around the assumption that datacenters are the center of the universe. Naturally, the “one SASE platform to replace VPN + SD‑WAN + a chunk of security” pitch is very appealing. One client for users, tunnels from sites into a nearby edge, and a unified policy model sounds like exactly what the diagrams in my head want.

What I don’t want is to jump into this and then realize in production that we still need the old VPN for oddball use cases or keep a standalone SD‑WAN setup for certain sites because the SASE platform can’t quite handle everything as promised. A long, messy coexistence phase where nothing really goes away is my nightmare scenario.

For anyone who went into a SASE project with the explicit goal of consolidating VPN and SD‑WAN, how close did you actually get? Were the remaining edge cases small enough that you still count it as “replacement,” or did it feel like you just shifted complexity into a new place?

Blunt experiences are more useful to me than high‑level “it’s great” takes. What would you do differently if you were starting your SASE platform rollout again now?

reddit.com
u/Confident-Quail-946 — 10 days ago