Is AppSec largely dealing w/ a legacy or new-code vulnerability problem? We need data for WHEN vuln code first landed in the repository.
@jeremiahg @riskbased it's tracked as best as possible, based on that info being available (which is pretty rare in the big picture)
-
-
@attritionorg@riskbased yah, in your part of the world — there is some data. In custom webapp vulns, right now… it’s zip. We’re blind. -
@jeremiahg@riskbased but one can loosely speak to the other. start to get a picture of how bad it is -
@attritionorg@riskbased we’ve a shot at collecting some metadata here. When given access to a repo, scanning backwards in time is tricky. -
@jeremiahg if some orgs stick w/you for a while, couldn't you extrapolate?@attritionorg@riskbased -
@SushiDude No. We start by scanning the latest ver in the repo, which is obviously not the first, and proceed forward in time.@attritionorg -
@SushiDude we, like anyone else, would have to scan all the updates backwards in time, which no one really thinks to do.@attritionorg -
@jeremiahg hard prob; vendors rarely scan back to 1st affected version. Better to under-estimate vuln age than not at all@attritionorg
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.