Thursday, November 14, 2024

Common Vulnerability and Exposures & work

At work one of my unofficial tasks is to review the current CVE list.  We have been asked in the past several times if a vulnerability affects us and we have to quickly find out if it does.  Now we (actually just me) check every day for updates from the prior day against a list of software that we use.  We use a simple XLS to track the CVE, product, date and high level description and a summary is sent out the various team members to investigate.  It has paid off as we knew about a vulnerability before being asked about it and quickly responded to senior management with what was being done if impacted.

This allows us to identify any potential impacts, verify if we are or are not impacted.  If impacted then what are the mitigation steps required before the fix and when will the fix be installed.

The part that I find annoying is that many of the vulnerabilities can be prevented by the app developers during testing.  I suspect that management or marketing is pressuring the developers to push out the code and let the users and others find the bugs.


Terminology

CVE is Common Vulnerability and Exposures. WIKI for CVE.

CVSS is Common Vulnerability Scoring System. WIKI CVSS.

EPSS is Exploit Prediction Scoring System. WIKI for EPSS.


Buffer overflow. WIKI Buffer overflow.

Cross-Site Request Forgery (XSRF). WIKI XSRF.

Cross Site Scripting (XSS). WIKI XSS.

Race condition. WIKI Race condition.

SQL injection. WIKI SQL Injection.


CVE URL I use to check on updates

BrowseCVE vulnerabilities by date (cvedetails.com)



Monday, July 01, 2024

Using and liking Mastodon

When I dropped Twitter X I didn't miss the ongoing toxic waste dump.  I found a great replacement called Mastodon.  It does take a bit of work and time to get started, but I find it a friendly place.  I see what I want to see, I follow those who I want to follow and it isn't a spam filled, advertising filled site overflowing with hatred, bigotry and intolerance.  The administrators keep an eye on things and when spam does appear it quickly gets removed.  

There is a growing community of people who are willing to share, technical experts and media personalities who regularly post. 

If you are tired of X I suggest that you check it out.

Sunday, March 24, 2024

I am not missing Twitter.

It has been over a year since I left Twitter and I don't miss it.  I have been using mastodon and it has been a much more enjoyable experience.  I am not subjected to spam, scam, advertising and hate.  It takes a bit to get accustomed to, but I have a wonderful feed with people who post and share information that I find interesting or makes me think.

In Linux there are clients (I am using TUBA at this time in MX Linux as a flatpack), Android has clients (I am using Trunks which is cross platform - Android & IOS).  It is also accessible via your browser as I haven't found a client there that works as well as the browser version.