Using Security Reports As A Weapon?!?!

preview_player
Показать описание
Recorded live on twitch, GET IN

### Article

### My Stream

### Best Way To Support Me
Become a backend engineer. Its my favorite site

This is also the best way to support me is to support yourself becoming a better backend engineer.

MY MAIN YT CHANNEL: Has well edited engineering videos

Discord

  1. ThePrimeTime
  2. programming
  3. software engineer
  4. software engineering
  5. developer
  6. web design
Рекомендации по теме
Using Security Reports 0:27:50

Using Security Reports As A Weapon?!?!

What Things Do 0:04:36

What Things Do Security Clearance Holders Need to Self Report

Basics of Writing 0:05:36

Basics of Writing a Professional Security Report #1 - 6 Key Elements of an Effective Report

How To Write 0:04:52

How To Write The Save Your Ass Security Report!

Manage Bulk Sharing 0:06:56

Manage Bulk Sharing your Reports using Security Groups! // Beginners Guide to Power BI in 2021

Paanu gumawa ng 0:06:16

Paanu gumawa ng Report ang Security Guard.

How to write 0:00:18

How to write a report | Working in security | #security #securityguard #shorts

#vulnerability #pentest #report 0:00:31

#vulnerability #pentest #report fight between security and engineering

Security Reports Gallery 0:13:12

Security Reports Gallery with PowerBI!

Generate and publish 0:01:51

Generate and publish a security audit report using SolidityScan

How I Stopped 0:00:21

How I Stopped Identity Theft with Credit Report Security

Scale Your Power 0:07:12

Scale Your Power BI Reporting With Row Level Security [2022 Update]

Saturday Security: The 0:01:00

Saturday Security: The State of Data Breaches with ITRC's Latest Report

How Do I 0:00:50

How Do I Report Social Security Fraud? | Step-by-Step Guide

Overview: Security in 0:02:41

Overview: Security in EPM Cloud Narrative Reporting

how to make 0:09:44

how to make an incident report for security guards /must watch by beginners

How To Write 0:04:50

How To Write The Save Your Ass Security Report

Security Industry Trends 0:00:32

Security Industry Trends Report 2024: The Power of Training

Humanode | How 0:00:58

Humanode | How to Read a Security Audit Report | CertiK

How to use 0:03:09

How to use reports in the ESET Security Management Center!

RMF2158 Security and 0:09:52

RMF2158 Security and privacy reporting

Using Global Reporting 0:12:27

Using Global Reporting to Validate the Effectiveness of Your Security Program

The Security Report 0:05:07

The Security Report that your IT Support is NOT Sending You!

Security Reporting Software 0:03:46

Security Reporting Software w/ GuardMetrics

Комментарии
Автор

DHOD: Distributed Harrasment of Developer

kiverismusic
Автор

it was me, i downloaded "ip" 17 million times...

DMONSKULL
Автор

It's not just a DHOS on the projects, it also erodes trust in the CVE system.

The LAST thing you want is developers seeing a CVE and thinking "this is probably nonsense again" and not treating it seriously. Ideally, devs see a CVE and think "oh shit, I need to fix that!"

jeffwells
Автор

I don't know why people can't trust some random person who is maintaining the project but blindly trust a random person creating CVEs.

ViolentOrchid
Автор

I love the InfoSec community but some CVE issuers have dubious ethics where they artificially overstate the severity rating because it allows their disclosure to essentially be higher reach product marketing for their firm. I’ve worked at companies where they privately disclosed vulnerabilities as a shakedown tactic for their “consulting services” along with filing a CVE request that overstated the severity by 3-4 points to what we evaluated it to internally.

JETurp
Автор

The threshold for creating these CVEs is getting too low. *Any* bug could potentially, possibly, have some kind of security impact.
Doesn't mean everything has to end up in the CVE database.

vinterskugge
Автор

btw, if you are using anything related to cryptography in node, there's a 90% chance you'll use code by this guy Fedor.
He is one the MOST prolific cryptography developers in the node ecosystem.
This is probably the LAST person you want to stop taking CVE's seriously :(

elirane
Автор

I would expect 9.8 to automatically take over your PC if you run it and a hacker spends 10 seconds trying to break in, hacker optional.

rmidifferent
Автор

I sometimes get annoyed by the cyber security community for things like this. There's a whole class of "security researchers" who basically just exist to point out bugs like, "if a cosmic ray comes down and changes the transistor state, this library displays inconsistent behavior..." And then, they ask for some sort of bounty. It almost seems like the CVE system is being shared between these people and people who understand that the impact of a vulnerability also relies on the actual feasibility of exploiting the vulnerability, as well as the risk displayed upon successful exploitation. It's a sort of scare tactic used because people see "vulnerability" and commonly lack the ability to differentiate a severe vulnerability from a theoretical, unexploitable one.

reybontje
Автор

How to Jia Tan any npm package:
- find low maintenance, high downtown count npm package
- create fake security reports against it
- show up with PRs and/or money in maintainers DMs
- ????
- profit

JLarky
Автор

I am sick and tired of "independent security reasearchers" that send in irrelevant "security vulnerabilities" and pushing for rewards.

Ostap
Автор

Wild thing is that a state actor will submit bogus vulnerability reports, but will keep real ones for their own use

Pilkas_Vilkas
Автор

I am legitimately concerned about spurious CVE filings.

JeremyAndersonBoise
Автор

1:16 your project starts getting used by companies making millions off your software who never return any of it even when making demands for improvement.

EvanBoldt
Автор

9.8 criticality would make you shit firework similar experience, duuh but I really think that some of these devs that do JS and review github code doesn't really think what such a small change can do if they file a fake CVE

retr.
Автор

Bruh I was half asleep when i saw the title and read it as "Using security raptors as a weapon, " and thought someone managed to bring the dinosaurs back

epq
Автор

10:00 - that’s not really a vulnerability. It’s the network owner’s job to make the private network unreachable, this is dumb. No route to host 404. Malicious CVE reports could be bad

JeremyAndersonBoise
Автор

Distributed Harrassment is a good description of this crap.
Allowing anyone on the Internet to be a CNA has been a debate for the linux kernel as well because they had an increase in the number of CVEs being created

ragectl
Автор

CVE only when registed with your id. Also only possible with a working proof of concept in real software.

DiLeberwurst
Автор

Issues I see with "open source" are quite a bit different. Developer #1 creates an LLM project, Developers #s 2-11 create forks that still depend upon Dev#1's project. After weeks, Dev#1's project encounters dependency hell. Developers 2-11 continue to charge money for their custom installers, even though all 11 repos have been broken for months.

Ideally Developers would assist the 1st project, at some point, rather than make it a dependency & let all the projects die with the first round up dependency updates for the 10 forks.

So we'll have 10+ forks that none of which can use due to the original project being (seemingly) abandoned or it may receive updates like once a year... & either way, the packages only typically work if a user happens to find the project the first week of its debut, and the odds diminish after this point of working for other users who found the project during week 2, 3, 4, etc.

It looks to me like the "Open Source" 'community' is destroying itself. & Content Creators cloning a repo to sell botched installs, is one of many contributing factors to this continuing problem.

VertegrezNox