sheetsj’s Twitter Archive—№ 2,677

The Struts2 scenario that brought down Equifax could really happen anywhere: arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/
Permalink On twitter.com ♻️ 3 Retweets ❤️ 4 Favorites 2017 Sep 28 Mood 0

…in reply to @sheetsj
"The flaw in the Apache Struts framework was fixed on March 6. Three days later, the bug was already under mass attack"
Permalink On twitter.com ♻️ 1 Retweets 2017 Sep 28 Mood -3 🙁

…in reply to @sheetsj
Companies have very little time to react. Especially hard at very large organizations with hundreds of legacy production applications
Permalink On twitter.com 2017 Sep 28 Mood -1 🙁

…in reply to @sheetsj
The scenario affecting Struts2 can easily be applied to Spring/Grails/Play/etc... All have routine patches to fix vulnerabilities
Permalink On twitter.com ♻️ 1 Retweets ❤️ 1 Favorite 2017 Sep 28 Mood 0

…in reply to @sheetsj
The key is to have processes and procedures in place to quickly rebuild and redeploy and regression test applications
Permalink On twitter.com ❤️ 2 Favorites 2017 Sep 28 Mood 0

…in reply to @sheetsj
But also to internally rank applications on level of criticality and priority for updates
Permalink On twitter.com ❤️ 2 Favorites 2017 Sep 28 Mood 0

…in reply to @sheetsj
e.g. A grocery store list app -- low priority. A stock trading app -- pretty critical.
Permalink On twitter.com ❤️ 1 Favorite 2017 Sep 28 Mood +1 🙂

…in reply to @sheetsj
there are tools to help - starting with a dependency tracking tool like Artifactory or Nexus to have an inventory libraries
Permalink On twitter.com 2017 Sep 28 Mood +4 🙂

…in reply to @sheetsj
implementing a continuous delivery/integration pipeline should also be at the top of your list
Permalink On twitter.com ❤️ 1 Favorite 2017 Sep 28 Mood +2 🙂

…in reply to @sheetsj
and major props to @TheApacheStruts for being open and quick in their response @TheASF/908284325044436992
Permalink On twitter.com 2017 Sep 28 Mood 0

…in reply to @sheetsj
@TheApacheStruts Great writeup on how the issue isn't OS tools. Open Source is actually what helps to patch these holes faster blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
Permalink On twitter.com 2017 Sep 28 Mood +5 🙂

…in reply to @sheetsj
@TheApacheStruts "there is a huge difference between detecting a flaw after nine years and knowing about a flaw for several years"
Permalink On twitter.com 2017 Sep 28 Mood -3 🙁

…in reply to @sheetsj
@TheApacheStruts
Permalink On twitter.com ❤️ 1 Favorite 2017 Sep 28 Mood 0

…in reply to @sheetsj
Look at @VersionEye and jeremylong.github.io/DependencyCheck/ as tools to auto-scan and notify for vulnerable libraries on your projects
Permalink On twitter.com ❤️ 2 Favorites 2017 Sep 29 Mood -2 🙁

…in reply to @sheetsj
It’s not easy, but quick detection & notification, fast patching, auto regression tests, and timely deploys are the new norm
Permalink On twitter.com 2017 Sep 29 Mood -1 🙁

…in reply to @sheetsj
To be clear - this applies to Node, Ruby, C#, Python, just as much as Java. Security holes happen. So we must plan for them.
Permalink On twitter.com 2017 Sep 29 Mood +1 🙂

…in reply to @sheetsj
Adding another tool snyk.io/ to the thread - thanks @mrbusche
Permalink On twitter.com ❤️ 1 Favorite 2017 Sep 29 Mood +2 🙂

…in reply to @sheetsj
Adding two more security scanning / checking tools to the thread: @black_duck_sw and @Checkmarx
On twitter.com ❤️ 2 Favorites 2017 Oct 2 Mood 0