Notice of Data Security Incident(minted.com) |
Notice of Data Security Incident(minted.com) |
https://blog.f-secure.com/new-vulnerabilities-make-exposed-s...
On the assumption that this data breach was caused by those CVEs (which I think were even publicized by the US CISO / NSA, how does the average website-hosting company find out about CVEs that apply to their stack in a timely manner? (note: I'm playing as devil's advocate, but would seriously like to hear realistic answers)
The majority of companies I've seen operations at didn't have people trawling the web looking for these kinds of issues. In theory you can sign up to get CVE notifications, and hopefully the software vendor will put a message on a mailing list. Whether anyone subscribed to that list is another question, and whether anyone reacts to it is another matter.
The challenge for most orgs I've seen would be even determining what tools (and versions) they need to keep on top of updates for. In a case like Salt however, I imagine short of being on their list (if they have one), most people's best hope is that one of their team sits on hacker news all day, and monitors relevant security resources, and knows salt is used.
Even big CAs don't get it right - the Salt attack was used against one of the certificate transparency servers. Clearly there's a gap between the theory and practice here.
Perhaps a well-formatted RSS feed at example.com/.well-known/security.rss ?
Email just doesn’t work in 2020 for anything mission-critical.
As a user it would also need to support team or shared accounts, so that a whole team can get alerted to any issues in components of their stack.
Then need to get everyone to support yet another standard(!), and companies need to hunt through their existing stack and identify all the critical components - I imagine lots of people will forget their dependency on things like OpenSSL/OpenSSH and ensuring they track bulletins for their relevant version.