VissMay 12, 2025

if your entire security operation relies 100%, or even 'heavily' on cves, cve scanners, mitre mitre mitre, then youre in for a very rough ride.

its time to stop blindly using cve as a rail shooter for security, put on adult pants, and start looking at security and architecture holistically.

Show threadVissMay 12, 2025
the days of "just aim some staggeringly expensive cve scanner at the infra, have it squirt out a clutch of cves, then run patches on patch wednesday and scan again to make the graph go down and to the right" are coming to an end.
Show threadthedoctorMay 12, 2025
@Viss This may be a stupid question, but what would be the alternative when it comes to vulnerabilities in software?
Show threadVissMay 12, 2025

@thedoctor to identify the issues yourself, and judge for yourself if the thing you found is scary enough to deal with.

many many many of the cves that are published are basically nothingburgers. they fuel the compliance industry way way way way way way way more than the security industry.

many of them are essentially unexploitable, or just wrong, or ... welll..
here:

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

CVE-2020-19909 is everything that is wrong with CVEs

This is a story consisting of several little building blocks and they occurred spread out in time and in different places. It is a story that shows with clarity how our current system with CVE Ids and lots of power given to NVD is a completely broken system. CVE-2020-19909 On August 25 2023, we got … Continue reading CVE-2020-19909 is everything that is wrong with CVEs →

daniel.haxx.se
Show threadthedoctor
@Viss Oh, I am aware of that. But sometimes a CVE pops up that is an actual problem and I don't see how people are supposed to notice unless there's some sort of reporting system in place.
May 13, 2025 at 4:07amWeb
Show threadVissMay 13, 2025
@thedoctor cve is not the only way this stuff makes it out into the world
Show threadVissMay 13, 2025
@thedoctor mitre is not the sole org on the planet that gets to decide what is and is not a bug
Show threadthedoctorMay 13, 2025
@Viss Indeed? And here I thought everyone was living off of their tea leaf reading.
Show threadVissMay 13, 2025
@thedoctor some are but you gotta ask youself just HOW important is it of the solution 99% of the time is 'install a patch' or 'perform an upgrade'?
Show threadthedoctorMay 13, 2025
@Viss That's fair.
Show threadVissMay 13, 2025

@thedoctor also i guess people have chosen to erase from the collective conciousness that if youre any good at sysadmin / netadmin techniques, theres a fuckload of security you can just solve for at the network/system layer.

like, JUST mtls and fail2ban *ALONE* hobble almost every kind of recon thats possible, and 100% of all bruteforcing of everything, even web scraping and dir brutes and shit.