← Back to context

Comment by icedchai

3 years ago

Some people just want third-party assurance for CYA purposes. I’ve had to go through “security reviews” for apps submitted to third party platforms. One of them told me upgrade our web server because we had a vulnerability. That vuln was in some module that wasn’t even enabled. I explained this, and they still demanded we upgrade. So I just turned off the version identifier. Their scan passed. (I did upgrade nginx later anyway.)

10 comments

icedchai

Reply
manfre  3 years ago

Many security compliance scans/audits, especially at larger companies are about checking boxes and not practical security. I've done the same version hiding to get past nuisance reports.

  • KabukiOrigin  3 years ago

    Versions SHOULD be hidden from public queries. A proper assessment should identify versions anyway, by other means. If you hide them from your assessors to pass a scan, have Cyber insurance and later have an incident, coverage may be invalidated due to fraud (hiding data from assessor) or incompetence on the part of the assessor you hired.

    Assessment teams have varying quality. Get the best results for your org you can out of them.

    • icedchai  3 years ago

      Incompetence is frequent and expected.

      I did an assessment once where we were an add on to a third party platform. The assessor (from the third party platform) reports we are using a vulnerable javascript library! I said we're not even using that library, so he must've mixed us up with someone else.

      Tons of back-and-forth emails. He eventually sends us a couple of screen shots from browser dev tools. It turns out the guy was talking about a library on their own platform. It took even more back and forth emailing, until we escalated and the problem was resolved.

auspex  3 years ago

If the vulnerability is present it’s still a vulnerability. Just because the module isn’t enabled doesn’t mean it can’t still be taken advantage of in a remote code execution scenario.

Not using a library !== not vulnerable.

  • icedchai  3 years ago

    I forget the specifics, but there was no way to exercise the module remotely. I think it was actually Apache, not nginx, and the module was not even loaded. It was one of those bullshit "medium priority" line items.

    • dizhn  3 years ago

      You are probably misremembering the story. If the module was really not enabled it wouldn't come up in a security scan or be present in the banner.

      3 replies →

    • rtev  3 years ago

      What happens when another dev takes over and loads the module? This sounds similar to using a vulnerable library without invoking the vulnerable function - it still could unwittingly be used in the future.