@slekies Profile picture

Sebastian Lekies

@slekies

Automated Security Scanning & Vulnerability Management @Google

Joined October 2011
Similar User
@securitymb@infosec.exchange photo

@SecurityMB

Jun Kokatsu photo

@shhnjk

Nicolas Grégoire photo

@Agarri_FR

Gareth Heyes \u2028 photo

@garethheyes

Eduardo Vela photo

@sirdarckcat

André Baptista photo

@0xacb

Soroush Dalili photo

@irsdl

koto photo

@kkotowicz

alex photo

@insertScript

Lukas Weichselbaum photo

@we1x

Alvaro Muñoz photo

@pwntester

Ben Hayak photo

@BenHayak

Sergey Bobrov photo

@Black2Fan

Michael Stepankin photo

@artsploit

stephen photo

@_tsuro

Pinned

We just open sourced the Tsunami security scanning engine. Tsunami is a false-positive-free scanner focusing on actively exploited, high severity security vulnerabilities. Feel free to reach out to us for questions. (cc @magl22, @paradoxengine) opensource.googleblog.com/2020/06/tsunam…


Sebastian Lekies Reposted

I wish we could deprecate javascript: URIs which are one of the few remaining XSS vectors for modern SPAs. Until then we can use CSP to disable javascript: URIs. Here's a prototype for a refactoring free strict & hash-based CSP that does that: github.com/google/strict-…

If you have applications written in Next.js and you pass user input to router.replace or router.push you have an XSS. I wish framework owners did a little more to prevent this kind of stuff during the design stages. Issue: github.com/vercel/next.js…



Sebastian Lekies Reposted

Tsunami wants to be the best platform for scanning your AI infrastructure. Come join the party. bughunters.google.com/blog/569189023…


Sebastian Lekies Reposted

Are you passionate about expanding the capabilities of the Tsunami network scanner, and would like to help keep AI infrastructure secure? See our blog post for details on getting involved and how your efforts will be rewarded 💸! bughunters.google.com/blog/569189023… bughunters.google.com/blog/569189023…


Sebastian Lekies Reposted

⚗️ localtoast Localtoast is a scanner for running security-related configuration checks such as CIS benchmarks in an easily configurable manner. github.com/google/localto…


Sebastian Lekies Reposted

The CVSS Special Interest Group is proud to announce the official release of CVSS v4.0 - first.org/cvss/. This latest version of CVSS seeks to provide all users with the highest fidelity vulnerability assessment. #FIRSTdotOrg #CVSS #BuildingTrust #PSIRT #CSIRT

Tweet Image 1

Sebastian Lekies Reposted

I'm not a fan of using SBOMs for vulnerability response. It can be argued that they are better than nothing - but I'm not so sure. Their flaws make them costly, siphoning resources away from better-targeted work. [1/4]


Sebastian Lekies Reposted

CVE-2023-27536 Announced by the #curl project back in March 2023. We deem it severity Low. NVD, in their infinite wisdom, thinks this is a CRITICAL 9.8 flaw: nvd.nist.gov/vuln/detail/CV… I wish I knew how to fix this.


Sebastian Lekies Reposted

Keeping a large group of containers patched within a strict SLO remains a hard problem. At least that’s what we’ve found from our own experience, interactions with GKE customers, and observing industry surveys. 🧵


Sebastian Lekies Reposted

Super curious about how long it takes us all to realize that the only way to keep supply chain relatively free of vuln is to engineer for automated (delayed) updates of all deps. Guess we have to implement the whole sbom vex circus, first.


Sebastian Lekies Reposted

Insightful 3-part series (@sonatype) on evolution of oss supply chain attacks. Great facts (25% of maven pkgs still using vuln log4j, consumer choose vuln ver 95% of time, etc), liked the analogies to auto-industry supply chain controls & evolution phases- blog.sonatype.com/the-shifting-l…


Sebastian Lekies Reposted

Developers are not Trusted Types! Even with our best intentions as developers, we all make mistakes. XSS being one of the most common web vulnerabilities on the web proves that we need to better defend ourselves and our users against this. Let’s see how Trusted Types can (1/2)


Sebastian Lekies Reposted

I finally published part one - CVE / NVD doesn’t work for open source and supply chain security eu1.hubs.ly/H02h4dh0


Sebastian Lekies Reposted

CVE deep dive! Today I'll look at how scanners work rather than a CVE. I'll focus on how they find packages, because that's the first step in looking for CVEs. I'll show a blind spot scanners have with many popular docker images, and how you might be missing a LOT of vulns.


Sebastian Lekies Reposted

Check out our blog post to learn results from our experiments with Paranoid (github.com/google/paranoi…). Our open-source project that detects the usage of weak cryptographic artifacts, such as public keys and digital signatures --> security.googleblog.com/2022/08/announ…


Sebastian Lekies Reposted

The ZAP spiders now score 80% vs Google Crawl Maze: zaproxy.org/docs/scans/cra… The latest 7% increase is thanks to @5up3r541y4n


Sebastian Lekies Reposted

ZAP needs your help! zaproxy.org/blog/2022-06-1…


Hey @pyscript_dev, using a custom <py-script> tag has bad security implications. It would be better to use a standard script tag with a type: <script type=”python”>. The custom tag looks cooler, but it creates a bunch of security issues that are hard to describe in one tweet.


Hey @freddyb & @kkotowicz! The Sanitizer API and TrustedTypes seem incompatible. Sanitizing requires the precise context, which is not available in a trusted types policy. Are you aware of this issue? Is there a way TrustedTypes and the Sanitizer Api can work together?


Sebastian Lekies Reposted

I spent a few weeks dismantling CVSSv3.1 and came away disappointed. In my newest essay you can learn why. Bonus feature: you can play with how the calculator works to understand it better! theoryof.predictable.software/articles/a-clo…


Loading...

Something went wrong.


Something went wrong.