Conversation

Notices

1. Embed this notice
   Viss (viss@mastodon.social)'s status on Wednesday, 27-Nov-2024 05:59:51 JST Viss

   in reply to

   • Taggart :donor:

   @mttaggart i get the impression that this is the result of a bunch of orgs all getting the ability to spin off CVEs, and people somehow treating that shit like its clout / follower count, and buttonmashing to produce as many as possible to 'look good'

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Wednesday, 27-Nov-2024 05:59:51 JST Taggart :donor:

     in reply to

     @Viss And the growth of bug bounty

   • Embed this notice
     Josh Bressers (joshbressers@infosec.exchange)'s status on Wednesday, 27-Nov-2024 05:59:51 JST Josh Bressers

     in reply to

     • Taggart :donor:

     @mttaggart @Viss all the 2024 CVE growth has been Wordpress plugin bug bounty sites (like wordfence) and the Linux kernel

   • Embed this notice
     Viss (viss@mastodon.social)'s status on Wednesday, 27-Nov-2024 05:59:52 JST Viss

     in reply to

     • Taggart :donor:

     @mttaggart specifically php - i cant say - but, like, clearly yes - otherwise why would xss be 'the worst' right now?

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Wednesday, 27-Nov-2024 05:59:52 JST Taggart :donor:

     in reply to

     @Viss Okay here we go:

     https://cwe.mitre.org/top25/archive/2024/2024_methodology.html

     This is about CVE inflation as much as anything.

   • Embed this notice
     Viss (viss@mastodon.social)'s status on Wednesday, 27-Nov-2024 05:59:53 JST Viss

     in reply to

     • Taggart :donor:

     @mttaggart the grim reality we all have to ask ourselves is "are we actually making a difference?"

     ive been at it since 2008 and back then xss wasnt 'the worst', but it is now? - this suggests things are getting worse, not better

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Wednesday, 27-Nov-2024 05:59:53 JST Taggart :donor:

     in reply to

     @Viss Yeahhh I'm kind of at a low point on that particular wave right now. Doesn't really seem like it's working.

     But this is counterintuitive. XSS should have decreased in scariness just by dint of new frameworks becoming default. What is going on here?

   • Embed this notice
     Viss (viss@mastodon.social)'s status on Wednesday, 27-Nov-2024 05:59:53 JST Viss

     in reply to

     • Taggart :donor:

     @mttaggart every time we make shit easier for people who dont know how to computer, they go and set the building on fire. and we never learn.

     first it was the cloud - removing professionals because they tell folks shit they dont wanna hear

     now its AI - removing developers, because they tell folks shit they dont wanna hear.

     so people who dont know shit about computers can function without sys/net admins, infosec or coders? no human to say 'uh, that'll set the building on fire'?

     weeeeeeeeelp

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Wednesday, 27-Nov-2024 05:59:53 JST Taggart :donor:

     in reply to

     @Viss With specific regard to web vulns though: wtf? Are more people building crap in unsafe PHP today? It makes no sense how XSS could get "worse," whatever that means.

   • Embed this notice
     Taggart :donor: (mttaggart@infosec.exchange)'s status on Wednesday, 27-Nov-2024 05:59:54 JST Taggart :donor:

     Wild to me that in 2024 (almost 2025!) Cross-Site Scripting remains the "most dangerous" CWE, when there is literally a correct and built-in mitigation for it.

     https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html