sheetsj’s avatarsheetsj’s Twitter Archive—№ 2,649

    1. The Struts2 scenario that brought down Equifax could really happen anywhere: arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/
      Permalink On twitter.com Twitter logo sheetsj’s avatar ♻️ 3 Retweets ❤️ 4 Favorites Mood 0
  1. …in reply to @sheetsj
    "The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack"
    On twitter.com Twitter logo sheetsj’s avatar ♻️ 1 Retweets Mood -3 🙁
    1. …in reply to @sheetsj
      Companies have very little time to react. Especially hard at very large organizations with hundreds of legacy production applications
      Permalink On twitter.com Twitter logo sheetsj’s avatar Mood -1 🙁
      1. …in reply to @sheetsj
        The scenario affecting Struts2 can easily be applied to Spring/Grails/Play/etc... All have routine patches to fix vulnerabilities
        Permalink On twitter.com Twitter logo sheetsj’s avatar ♻️ 1 Retweets ❤️ 1 Favorite Mood 0
        1. …in reply to @sheetsj
          The key is to have processes and procedures in place to quickly rebuild and redeploy and regression test applications
          Permalink On twitter.com Twitter logo sheetsj’s avatar ❤️ 2 Favorites Mood 0
          1. …in reply to @sheetsj
            But also to internally rank applications on level of criticality and priority for updates
            Permalink On twitter.com Twitter logo sheetsj’s avatar ❤️ 2 Favorites Mood 0
            1. …in reply to @sheetsj
              e.g. A grocery store list app -- low priority. A stock trading app -- pretty critical.
              Permalink On twitter.com Twitter logo sheetsj’s avatar ❤️ 1 Favorite Mood +1 🙂
              1. …in reply to @sheetsj
                there are tools to help - starting with a dependency tracking tool like Artifactory or Nexus to have an inventory libraries
                Permalink On twitter.com Twitter logo sheetsj’s avatar Mood +4 🙂
                1. …in reply to @sheetsj
                  implementing a continuous delivery/integration pipeline should also be at the top of your list
                  Permalink On twitter.com Twitter logo sheetsj’s avatar ❤️ 1 Favorite Mood +2 🙂
                  1. …in reply to @sheetsj
                    and major props to @TheApacheStruts for being open and quick in their response @TheASF/908284325044436992
                    Permalink On twitter.com Twitter logo sheetsj’s avatar Mood 0
                    1. …in reply to @sheetsj
                      @TheApacheStruts Great writeup on how the issue isn't OS tools. Open Source is actually what helps to patch these holes faster blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
                      Permalink On twitter.com Twitter logo sheetsj’s avatar Mood +5 🙂
                      1. …in reply to @sheetsj
                        @TheApacheStruts "there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years"
                        Permalink On twitter.com Twitter logo sheetsj’s avatar Mood -3 🙁
                        1. …in reply to @sheetsj
                          @TheApacheStruts
                          oh my god twitter doesn’t include alt text from images in their API
                          Permalink On twitter.com Twitter logo sheetsj’s avatar ❤️ 1 Favorite Mood 0
                          1. …in reply to @sheetsj
                            Look at @VersionEye and jeremylong.github.io/DependencyCheck/ as tools to auto-scan and notify for vulnerable libraries on your projects
                            Permalink On twitter.com Twitter logo sheetsj’s avatar ❤️ 2 Favorites Mood -2 🙁
                            1. …in reply to @sheetsj
                              It’s not easy, but quick detection & notification, fast patching, auto regression tests, and timely deploys are the new norm
                              Permalink On twitter.com Twitter logo sheetsj’s avatar Mood -1 🙁
                              1. …in reply to @sheetsj
                                To be clear - this applies to Node, Ruby, C#, Python, just as much as Java. Security holes happen. So we must plan for them.
                                Permalink On twitter.com Twitter logo sheetsj’s avatar Mood +1 🙂
                                1. …in reply to @sheetsj
                                  Adding another tool snyk.io/ to the thread - thanks @mrbusche
                                  Permalink On twitter.com Twitter logo sheetsj’s avatar ❤️ 1 Favorite Mood +2 🙂
                                  1. …in reply to @sheetsj
                                    Adding two more security scanning / checking tools to the thread: @black_duck_sw and @Checkmarx
                                    Permalink On twitter.com Twitter logo sheetsj’s avatar ❤️ 2 Favorites Mood 0