Sebastian Lekies

Today, we announced the official release of OSV-SCALIBR, Google's software composition analysis library. If you are working in vuln management / security scanning, SCALIBR is for you! SCALIBR is powering most of Google's vuln scanning. Please RT security.googleblog.com/2025/01/osv-sc…

@RSnake Funnily enough most actively exploited infrastructure vulns don’t even have a CVE or CVSS score assigned.

Let’s say you use CVSS as your priority system (high to low). Then let’s say you have chosen some artificial cutoff of 7.0 or higher, which is considered “high” and “critical”. This is an actual thing companies have claimed they do, so I’m not making a strawman argument. Do you think attackers will really focus on 7.0 but not 6.9 CVSS scored vulnerabilities? Why the aribrary cutoff? How do you know you’re right? What if NVD said it was 6.9 and CISA and/or the CNA says it is 7.0, or vice versa? Now extend that thinking to any set of numbers you like. How do you know that that is the right cutoff point, and what evidence do you use to back up that decision? What barometer are you choosing and why? What logic brought you to decide that that “high” and “critical” was the right line in the sand? Or was it entirely a compliance decision and not based on what attackers actually do? Also, if you are one of these companies, have you ever suffered a breach after having embraced that decision?

Got a knack for security? We've launched a rewards program for OSV-SCALIBR and want your help! Earn cash 💰 for creating new plugins that detect vulnerabilities, secrets, or extract software inventory. bughunters.google.com/blog/655159064…

@kevin_mizu @kkotowicz @sirdarckcat This is awesome! Thank you very much for putting this together and sharing it with the community!

I'm happy to release a script gadgets wiki inspired by the work of @slekies, @kkotowicz, and @sirdarckcat in their Black Hat USA 2017 talk! 🔥 The goal is to provide quick access to gadgets that help bypass HTML sanitizers and CSPs 👇 gmsgadget.com 1/4

Protect your systems from leaked credentials! 🚨 We're excited to announce Veles, a new open-source secret and credential scanner from Google. Veles helps you find and fix sensitive data exposures in your source code and artifacts, with more features on the way! Learn how Veles is battle-tested at Google and how it can help secure your organization: goo.gle/veles-scanner #Veles #OpenSource #Security #Cybersecurity #SecretsScanning

Veles, Google's new open-source secret scanner, is now available. This tool, built into our SCALIBR scanner, identifies exposed credentials with an extensible architecture for new secret types. We'd love to hear your feedback and answer any questions. opensource.googleblog.com/2025/07/stop-l…

Today Google announced a new OSV-SCALIBR: A library for Software composition analysis. It allows to extract software dependencies, generate SBOM’s and scan them via osv.dev! More details in our blogpost: security.googleblog.com/2025/01/osv-sc…

Google has launched OSV-SCALIBR, an open-source library for software composition analysis! It identifies vulnerabilities and generates SBOMs, supporting various OS and languages. 🛡️🔍 #OpenSource #Google #SoftwareSecurity #CybersecurityNews link: ift.tt/qE5l48z

Google releases OSV-SCALIBR, an open source library for software composition analysis and file system scanning. securityweek.com/google-release…

Google’s New OSV-SCALIBR: Your Software’s Superhero or Just Another Sidekick? Hot Take: Google's OSV-SCALIBR: Because keeping tabs on your software vulnerabilities should be as easy as keeping tabs on your ex's Instagram story. With this new tool, Google is basically saying, "Don't worry, we got your back (and your code's back)!" buff.ly/42jkbj7

Github Repo: github.com/google/osv-sca…

SCALIBR is a library that allows you to enumerate all software installed in a given file system, such as containers, VMs, running machines, or code repositories. Additionally, it offers extensible vulnerability scanning capabilities. Reach out in case you have questions.

Today, we announced the official release of OSV-SCALIBR, Google's software composition analysis library. If you are working in vuln management / security scanning, SCALIBR is for you! SCALIBR is powering most of Google's vuln scanning. Please RT security.googleblog.com/2025/01/osv-sc…

OSV-SCALIBR: A library for Software Composition Analysis security.googleblog.com/2025/01/osv-sc…

⚒️ SCALIBR (Software Composition Analysis Library) An extensible file system scanner used to extract software inventory data (e.g. installed language packages) and detect vulnerabilities By @Google github.com/google/osv-sca…

OSV-SCALIBR: A library for Software Composition Analysis: ift.tt/XrvxnOD by Google Online Security Blog #infosec #cybersecurity #technology #news

"OSV-SCALIBR combines Google’s internal vulnerability management expertise into one scanning library with significant new capabilities ..." security.googleblog.com/2025/01/osv-sc… < it's open source, and you can use what Google uses for software composition analysis

@we1x @arthursonzogni @manicode I.e start with opt out, after x years you have to opt-in and after another x years you drop that too. What’s an acceptable usage percentage to phase out a browser feature btw?

@we1x @arthursonzogni @manicode There seems to be a depreciation problem for outdated web tech. Would be nice if there was a mechanism / policy / standard that allows browsers vendors to phase out old tech. Opt out seems to be the easiest, but I wonder if the opt out could be turned into opt-in over time.

I wish we could deprecate javascript: URIs which are one of the few remaining XSS vectors for modern SPAs. Until then we can use CSP to disable javascript: URIs. Here's a prototype for a refactoring free strict & hash-based CSP that does that: github.com/google/strict-…