#Log4Shell is showing us that the current state of vulnerability scanning technology is insufficient. Who has ideas on how to improve in a way that would make it possible to properly handle a #log4j event?
@seb I think the number one thing that would have helped us is a *proper* software inventory: vendors, versions, dependencies, libraries, etc, so we could have more easily targeted our efforts.
@seb 🆗 ➡ 💾 📼 📀
facetious answer: use c#. interestingly i wonder if the log4net library is similarly compromised.
better answer: there are some great resources out there that detail how to exploit, detect, patch & test: https://motasem-notes.net/the-log4j-vulnerability-explained/
the link i sent before explains how nmap and burp can be used to scan for susceptible jars.
perhaps companies will now begin thinking about baking pentesting into the CI/CD pipeline as opposed to an annual pentest audit.
@seb [only partly joking] rewrite it all in Rust-lang, (they have relatively low cases of smugness, despite having all of the "we told you so" high ground.)
@seb you probably want to look at the work of the OpenSSF :)