Sebastian Lekies
@slekiesAutomated Security Scanning & Vulnerability Management @Google
Similar User
@SecurityMB
@shhnjk
@Agarri_FR
@garethheyes
@sirdarckcat
@0xacb
@irsdl
@kkotowicz
@insertScript
@we1x
@pwntester
@BenHayak
@Black2Fan
@artsploit
@_tsuro
We just open sourced the Tsunami security scanning engine. Tsunami is a false-positive-free scanner focusing on actively exploited, high severity security vulnerabilities. Feel free to reach out to us for questions. (cc @magl22, @paradoxengine) opensource.googleblog.com/2020/06/tsunam…
I wish we could deprecate javascript: URIs which are one of the few remaining XSS vectors for modern SPAs. Until then we can use CSP to disable javascript: URIs. Here's a prototype for a refactoring free strict & hash-based CSP that does that: github.com/google/strict-…
If you have applications written in Next.js and you pass user input to router.replace or router.push you have an XSS. I wish framework owners did a little more to prevent this kind of stuff during the design stages. Issue: github.com/vercel/next.js…
Tsunami wants to be the best platform for scanning your AI infrastructure. Come join the party. bughunters.google.com/blog/569189023…
Are you passionate about expanding the capabilities of the Tsunami network scanner, and would like to help keep AI infrastructure secure? See our blog post for details on getting involved and how your efforts will be rewarded 💸! bughunters.google.com/blog/569189023… bughunters.google.com/blog/569189023…
⚗️ localtoast Localtoast is a scanner for running security-related configuration checks such as CIS benchmarks in an easily configurable manner. github.com/google/localto…
The CVSS Special Interest Group is proud to announce the official release of CVSS v4.0 - first.org/cvss/. This latest version of CVSS seeks to provide all users with the highest fidelity vulnerability assessment. #FIRSTdotOrg #CVSS #BuildingTrust #PSIRT #CSIRT
I'm not a fan of using SBOMs for vulnerability response. It can be argued that they are better than nothing - but I'm not so sure. Their flaws make them costly, siphoning resources away from better-targeted work. [1/4]
CVE-2023-27536 Announced by the #curl project back in March 2023. We deem it severity Low. NVD, in their infinite wisdom, thinks this is a CRITICAL 9.8 flaw: nvd.nist.gov/vuln/detail/CV… I wish I knew how to fix this.
Keeping a large group of containers patched within a strict SLO remains a hard problem. At least that’s what we’ve found from our own experience, interactions with GKE customers, and observing industry surveys. 🧵
Super curious about how long it takes us all to realize that the only way to keep supply chain relatively free of vuln is to engineer for automated (delayed) updates of all deps. Guess we have to implement the whole sbom vex circus, first.
Insightful 3-part series (@sonatype) on evolution of oss supply chain attacks. Great facts (25% of maven pkgs still using vuln log4j, consumer choose vuln ver 95% of time, etc), liked the analogies to auto-industry supply chain controls & evolution phases- blog.sonatype.com/the-shifting-l…
Developers are not Trusted Types! Even with our best intentions as developers, we all make mistakes. XSS being one of the most common web vulnerabilities on the web proves that we need to better defend ourselves and our users against this. Let’s see how Trusted Types can (1/2)
I finally published part one - CVE / NVD doesn’t work for open source and supply chain security eu1.hubs.ly/H02h4dh0
CVE deep dive! Today I'll look at how scanners work rather than a CVE. I'll focus on how they find packages, because that's the first step in looking for CVEs. I'll show a blind spot scanners have with many popular docker images, and how you might be missing a LOT of vulns.
Check out our blog post to learn results from our experiments with Paranoid (github.com/google/paranoi…). Our open-source project that detects the usage of weak cryptographic artifacts, such as public keys and digital signatures --> security.googleblog.com/2022/08/announ…
The ZAP spiders now score 80% vs Google Crawl Maze: zaproxy.org/docs/scans/cra… The latest 7% increase is thanks to @5up3r541y4n
Hey @pyscript_dev, using a custom <py-script> tag has bad security implications. It would be better to use a standard script tag with a type: <script type=”python”>. The custom tag looks cooler, but it creates a bunch of security issues that are hard to describe in one tweet.
Hey @freddyb & @kkotowicz! The Sanitizer API and TrustedTypes seem incompatible. Sanitizing requires the precise context, which is not available in a trusted types policy. Are you aware of this issue? Is there a way TrustedTypes and the Sanitizer Api can work together?
I spent a few weeks dismantling CVSSv3.1 and came away disappointed. In my newest essay you can learn why. Bonus feature: you can play with how the calculator works to understand it better! theoryof.predictable.software/articles/a-clo…
United States Trends
- 1. #TheOfficialTSTheErasTourBook 5.986 posts
- 2. #TTPDTheAnthology 4.878 posts
- 3. #socialpanel24_com N/A
- 4. #socideveloper_com N/A
- 5. Black Friday 459 B posts
- 6. Great War 7.913 posts
- 7. #29Nov 1.489 posts
- 8. YOKO AT BVLGARI 180 B posts
- 9. Secured 36,2 B posts
- 10. Datsun 11,7 B posts
- 11. Pledis 53,4 B posts
- 12. Winter Ahead 883 B posts
- 13. The Party Never Ends 21,5 B posts
- 14. Barron 33,9 B posts
- 15. Algebra 9.679 posts
- 16. Rental 15,3 B posts
- 17. Swifties 43,9 B posts
- 18. Bibby 1.648 posts
- 19. YMCA 16,2 B posts
- 20. Hasbro 9.467 posts
Who to follow
-
@[email protected]
@SecurityMB -
Jun Kokatsu
@shhnjk -
Nicolas Grégoire
@Agarri_FR -
Gareth Heyes \u2028
@garethheyes -
Eduardo Vela
@sirdarckcat -
André Baptista
@0xacb -
Soroush Dalili
@irsdl -
koto
@kkotowicz -
alex
@insertScript -
Lukas Weichselbaum
@we1x -
Alvaro Muñoz
@pwntester -
Ben Hayak
@BenHayak -
Sergey Bobrov
@Black2Fan -
Michael Stepankin
@artsploit -
stephen
@_tsuro
Something went wrong.
Something went wrong.