Recent searches
Search options
Administered by:
If CVE scanners are stupid, then what should I do instead?
Suppose I'm a sysadmin / devops at a small sofrware company. The devs write webapps with lots of dependencies, which they rarely update.
Is there anything I can do to meaningfully reduce the risk of a vuln in one of those dependencies getting us pwned, without that consuming all of my time?
@wolf480pl CVE scanners are (somewhat) useful, it's just that their output needs a lot of filtering. Raise only long-standing unaddressed issues, and filter out vulns that maintainers not have acked or fixed.
Help devs set some dependency automation (renovate, dependabot) so they don't have to do it by hand.
@nadia I tried filtering by CVSS score, leaving in only "Critical". There was a single-digit number of those per year. I would read the descriptions and linked writeups for each of them, and after that it usually turned out half of them are clearly not applicable or just pure bullshit.
For the rest I wasn't sure whether we're affected because I didn't know how the application uses them, so I opened tickets for the devs. It turned out half were not applicable either.
And it was a PITA.
@nadia maybe the problem is spoons, not time
can I get you a fake vuln in curl as a treat?
@wolf480pl @nadia sorry, vulnerability management*
a name which i still don’t agree with, because vulnerabilties are not meant to be managed