Is AppSec largely dealing w/ a legacy or new-code vulnerability problem? We need data for WHEN vuln code first landed in the repository.
@jeremiahg something that any mature VDB should be tracking. VulnDB from @riskbased tracks that metric, when available.
-
-
@attritionorg@riskbased it is tracked to some extent, but not really. Like, a random one-off SQLi or XSS vuln in some retail website. -
@jeremiahg@riskbased it's tracked as best as possible, based on that info being available (which is pretty rare in the big picture) -
@attritionorg@riskbased yah, in your part of the world — there is some data. In custom webapp vulns, right now… it’s zip. We’re blind. -
@jeremiahg@riskbased but one can loosely speak to the other. start to get a picture of how bad it is -
@attritionorg@riskbased we’ve a shot at collecting some metadata here. When given access to a repo, scanning backwards in time is tricky. -
@jeremiahg if some orgs stick w/you for a while, couldn't you extrapolate?@attritionorg@riskbased -
@SushiDude No. We start by scanning the latest ver in the repo, which is obviously not the first, and proceed forward in time.@attritionorg -
@SushiDude we, like anyone else, would have to scan all the updates backwards in time, which no one really thinks to do.@attritionorg - 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.