OSS: What’s the difference b/w coding a backdoor & deliberately choosing an unpatched OpenSource Component w/ aCVSS 10 ?
-
-
Replying to @joshcorman
@joshcorman one is found by a regular adversary (even CM!), one only inefficiently, or by a super-Turing adversary?1 reply 0 retweets 0 likes -
Replying to @BrianSniffen
@Brian_Sniffen were I evil insider… I’d choose vulnerable OpenSource; esp popular versions. Stunning the use of known vulnerable open source
2 replies 0 retweets 0 likes -
Replying to @joshcorman
@joshcorman @Brian_Sniffen A better evil insider would plant a non-obvious exploitable vulnerability (vs. blatant backdoor).1 reply 0 retweets 0 likes -
Replying to @joshcorman
@joshcorman@chriseng @Brian_Sniffen or realize CVE doesn't have the best record on OSS library vuln tracking.1 reply 0 retweets 0 likes -
Replying to @attritionorg
@attritionorg@chriseng @Brian_Sniffen sure. I'm speaking to poor tracking/handling of even the known ones.1 reply 0 retweets 0 likes -
Replying to @joshcorman
@joshcorman@attritionorg just ‘cause it’s in a Wikipedia database, you wouldn’t call it “known”. Why is CVE different?1 reply 0 retweets 0 likes
@Brian_Sniffen @joshcorman it is known to someone is the point. just not necessarily to VDBs or security people who would react to it.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.