Discussion · bonfire.cafe

Thinking about #InfoSec organizational behaviors derived from cognitive bias. In particular, availability bias from things that are memorable.

#Log4j #Heartbleed #SolarWinds #ShellShock #Spectre #Meltdown #SQLSlammer

Matt "msw" Wilson

@msw@mstdn.social replied · 2 weeks ago

Is it possible that #Log4j will be the most expensive global #InfoSec incident ever, not because of meaningful losses stemming from successful exploitation, but because it continues to be part of the continuous “ #SBOM and patch all the things will fix this!!” drumbeat?

John "Dobbymoodge" Lamb

@dobbymoodge@mastodon.social replied · 2 weeks ago

@msw I feel like the reaction and "I-told-you-so"s have had some merit, shining light on dependencies as a source of vulnerabilities in otherwise well-planned codebases. There has definitely been a ton of hay-making from the infosec side because of it, but from my position it's not too gratuitous. SBOM seems like a good thing to have in the tool kit, because the conditions that led to log4shell are still around - extremely deep dependency stacks.

John "Dobbymoodge" Lamb

@dobbymoodge@mastodon.social replied · 2 weeks ago

@msw I would have loved to have seen more analyses of teams with large Java codebases which managed to avoid the log4shell vuln. What was it about their culture, their toolchain or their processes that kept them out of trouble? Especially when the answer isn't "dumb luck".

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0-rc.2.21 no JS en

Automatic federation enabled