Only weeks away, if you can sort out travel or are maybe relatively near Utrecht, a boutique, high-quality vulnerability measurement and prediction festival:
first.org/events/colloqu…
English
Art Manion
1.4K posts
What's this Entra thing everyone keeps talking about. No, I don't want Google or ChatGPT answer, I want YOUR answer.
English
Two central themes that my thoughts of software liability repeatedly come back to centering on are:
1. A tiered system of software warranty/attestation levels for makers to choose from.
2. Focusing lower tiers squarely on mass exploitation vuln vectors + patching practices.
English
@arekfurt But also, some minimum bar for well-known security issues, like running web apps on the internet as root (VPNs...), see also cwe.mitre.org/documents/unfo…
English
@arekfurt IMO measuring *product* liability is difficult, because measuring *product* security is difficult, so an option is to measure vendor/supplier/producer behaviors: transparency about vulnerability reports, fixes (delivered securely), EOL, SBOM/dependencies
English
@pyotam2 @sonatype Fundamentally I really don't like using a *vulnerability* ID for malware. Seems like CVE will continue to allow assignments for trojans/backdoors (surprising and unwanted software behavior + security impact) but not for "straight up" malware (which can be a relative label)
English
What do you think? Is a malicious package a vulnerability? Should every malicious package be assigned a CVE?
P.S: The @sonatype "State of the Software Supply Chain" report:
sonatype.com/hubfs/9th-Annu…
[6/6]
English
English
A bad actor uploading 1000 malicious packages to PyPI today, can be the one uploading a 1000 other malicious packages to NPM tomorrow.
The MAL index in osv.dev, basically the only source for malicious package activity only contains 18.3K malicious packages.
[5/6]
English
@TGreg72 I hear you. In theory I’d agree. But the delivery system of social media apps—meaning phones, devices whose use literally requires (thus encourages) physical isolation and inertia—makes them damaging to users by default. Not much we can do about it.
English
This could very well be true, I don’t know. All apps are evil. I’m afraid the worst one might be Facebook, though, which is quietly chewing up seniors’ brains and literacy beyond recognition.
Brendan Carr@BrendanCarrFCC
In America, TikTok pushes videos to kids that promote self-harm, eating disorders, and suicide. In China, the version of TikTok available there, the app shows young kids science experiments, museum exhibits, and other educational material.
English
English
English
now that I get to work with computers again I'm writing a new GN vuln API that gives our customers the ability to quickly grab the list of all the vulns we've observed being exploited in the wild and I have a whole new appreciation for how FUCKED vulnerability ontologies are
English
@robertgraham "We use this" and "the way we use it is vulnerable" can be independent, and we might not know or tell if it's vulnerable, but with SBOM at least you can ask, investigate on your own, or maybe augment your purchasing decisions.
English
@zmanion Why would a vendor with SBOM tell if you if the component is vulnerable? How is this different if there was no SBOM?
:-)
English
This is actually an example why SBOMs won't help. Sure, there's a lot of old ("unpatched") software here, but there's no indication that any of it is exploitable. If it doesn't accept "CAB" files from outside sources, then it doesn't matter how vulnerable "cabextract" is.
Allan is @allanfriedman on bsky & infosec.exchange@allanfriedman
The question "I have an #SBOM. Now what?" is a legitimate one, and more tools and use cases emerge every day. But this basic analysis from @GossiTheDog on what's in Avanti tells a pretty clear story of why we need transparency for our software NOW.
English
@threehalfs @daveaitel This is my understanding but I don't have one in hand.
English
@zmanion @daveaitel physical ICS such as the PSA appliances don't have a way to do this imo, the only storage media available is the SATA for the harddrive
cmiiw
English
Anyone who operates a physical Ivanti ICS device: How do you boot it from known-good media? E.g., an external USB drive, a reasonably secure boot loader, minimal ROM image?
English
@fortraofficial as a CNA, you have the first opportunity to assign and publish a CVE ID. If you chose not to, another CNA can act. Also, silent patches rarely are.
Joel Land@joel_land
@fortraofficial @Horizon3ai @stephenfewer Looking into the fix for CVE-2024-0204 and it's clear that the root issue is the path traversal "/..;/" -- this was not fixed in GoAnywhere MFT 7.4.1. However, it does appear to be fixed in 7.4.2, though another silent fix. Any CVE yet?
English
@truekonrads @allanfriedman @daveaitel I also suspect that sort of secrecy may be reduced over time, after all, it's mostly a secret from customers, not from adversaries.
English
This extract from a @daveaitel rant is a great summary of what we have been trying to say for years.
1) SBOM will not solve all your problems
2) But if you can't produce an SBOM, should be a major deal-ending red flag!
Ravi Nayyar@ravirockks
'Buyers evaluating the risks associated with those components require information not typically included within the SBOM, so external enrichment is needed. 'The inability or unwillingness to supply an SBOM should be considered a significant warning'.
English
@truekonrads @allanfriedman @daveaitel Another option is to tell only customers, under whatever sort of support login terms of service. Or keep the SBOM secret, but you really better actually have SBOM when it matters. In some sense sharing SBOM with customers could be a degree of risk transfer.
English
@WeldPond @A_P_Delchi suppliers are the least cost avoider, also I bet suppliers would prefer to manage the notification vs. have a regulator/legally-mandated third-party come calling
English
@A_P_Delchi It will be more efficient for a supplier to publish a breach SBOM to their downstream customers than answer email. They can make it authenticated to only customers that have a contract it stipulates they need to provide this information.
English
After the Okta breach our customers are asking if we or any of our 3rd party suppliers are affected. Sending emails to suppliers is so inefficient.
We need an SBOM for 3rd party services that can have status by breach ID. Is there even a Common Breach Enumeration?
English
@wdormann I'd rather have a CVE ID for "something under investigation that sure seems like one or more new vulnerabilities" than no CVE ID or the ID is delayed until fixes are released.
English
@joshcorman and Audra reminding us that SBOM is a roadmap for the defender. With minesweeper. #SBOMaRama
English
English