Profile picture
Jeremiah Grossman @jeremiahg
, 7 tweets, 1 min read Read on Twitter
1/ Years ago I worked on a data analysis project. The project was designed to predict the particular type and number of vulnerabilities likely to be identified (or not) in a given website when security tested.
2/ The results were fascinating. With only knowing WHEN a website was first deployed on the Web and the programming language in use, it was possible to predict the type and quanitity of vulnerabilities present with a very high degree of accuracy.
3/ Other factors such as industry, organizational size, regulatory obligations, software development processes, and so on mattered very little statistically.
4/ The only other factor found that seemed to matter was if the ORG or website was known to have been hacked sometime in the past. Turned out they were substantially less vulnerable than the broad average website.
5/ I was getting closer to be able to precisely predict WHERE vulnerabilities of a particular type would be located in a website (ie a named URL param, form field, header, etc). I ran out of time, but I’m convinced it’s possible and it would greatly increase testing efficiency.
6/ If you can imagine, among other benefits, this type of vulnerability prediction would also greatly benefit the cyber-insurance market. Such as estimating risk without having to perform vulnerability testing in advance. Or telling the client what to prioritize testing for.
7/ Or, if you’re a bug bounty hunter, this type of analysis could help you be just that much more efficient in how you allocate your time.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Jeremiah Grossman
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @jeremiahg see all

Profile picture
I’ve spent last year creating asset inventories of the world's largest organizations (via Bit Discovery). It’s absolutely crazy to see just how many assets they have connected to the Internet — many have hundreds of thousands.

You can’t secure what you don’t know you own.
As it turns out, creating an inventory of internet-connected assets for an organization is easily the hardest engineering challenge I’ve ever worked on in my career.
An organization’s internet-connected devices may exist on many different IP-ranges, domain names, hosted services, labelled under a variety of brands or departments, managed by subsidiaries and partners, and may come and go without warning. (Very hard problem)
Read 4 tweets
Profile picture
1. Breach disclosed on a Friday.
2. The data about 500m people DOES NOT belong to their guests, but to Marriott. They have every right to allow it be compromised.
3. Breach unlikely to be costly, and affect stock price.
4. Other hotel chains should consider incident response.
It’s hard to tell if the Marriott breach contained cardholder information, but if so, PCI-DSS needs to take there fair share of the heat... and the QSA for that matter.
An intruder was silently running around Marriott’s system for 4 years. 4 YEARS. Imagine the amount of work necessary to get security back to a known good state and confident that you did so. Might take another 4 years in any system that large.
Read 6 tweets

Related threads

Profile picture
I just came here this morning to let y'all know that from 2018 till today, I've tweeted about 800 websites to learn various technical and non-technical skills online (mostly free) including those from top universities OpenCourseWare.

Don't @ me to search for anything for you.
I shared websites and other free online learning platforms + mobile apps where you can learn more about blogging, business plans, Teach & Sell Online Courses, Website Building Tools and Resources, A/B Testing Tools, SEO, Website Analytics, Help Desk Software and Live Chat,
Photo Editing Software, Social Media Graphics, E-Commerce Solutions, Learn How to Code, Online Courses & Continuing Education, Videos, File Sharing and Storage, Captioning, Transcription, Translation, Dropshipping, Public Speaking, Coding, Programming, Al, Data Analysis,
Read 12 tweets
Profile picture
00/ This thread will detail the almost implausible story of how we found anonymous troll account "BOB" @warfarenavel - a near miracle given the odds. I'll also illustrate the IRL danger posed by warfarenavel's reckless online games.
So step this way and we shall begin...
a Note: It really shouldn't have been possible to find him...!

And a Warning: This will be a bizarre thread about the Twitter underbelly - I can't emphasize that enough...brace yourself
1/ //START// Let's get you up-to-speed real quick with "Bob", a.k.a trumpprisondate, a.k.a warfarenavel, a.ka.a Mario Linty whose first two accounts that we know of were based around a prison rape reference/joke
Read 95 tweets
Profile picture
1

Not whole, but a section of the Middle class, which is selfish and limited to Onion Petrol is angry with @narendramodi

Let's see what Modi Govt did for them in last 4/4.5 years.

Pls RT and spread the message

summarised points viaWA
2

4 years ago, income tax on taxable income between 2 L and 5 L was 10%, now 5%.

4 years ago, tax on restaurant bills was 13% to 28%, now 5%.

4 years ago, interest on home loans was 10.3%, now 8.65%.

4 years ago, 1 GB of 3G data pack was Rs 250, now, 1 GB of 4G at Rs 5.
3

4 years ago, sky high prices of medicine and stents, now they are several notches less.

4 years ago, inflation in double digits, now under 5%. Prices of pulses and vegetables fall.
Read 8 tweets
Profile picture
Gujarat: First consignment of 20 sleeper slab tracks weighing 250 tonnes for construction of Mumbai-Ahmedabad bullet train, shipped to Vadodara from Mumbai Port earlier today. The consignment had come from Japan. #BharatTrustsModi
4 years ago, interest on home loans was 10.3%, now 8.65%. #BharatTrustsModi
4 years ago, tax on restaurant bills was 13% to 28%, now 5%. #BharatTrustsModi
Read 162 tweets
Profile picture
1-7
4 years ago, income tax on taxable income between 2 L and 5 L was 10%, now 5%.

4 years ago, tax on restaurant bills was 13% to 28%, now 5%.

4 years ago, interest on home loans was 10.3%, now 8.65%.

4 years ago, 1 GB of 3G data pack was Rs 250, now, 1 GB of 4G at Rs 5.
2-7
4 years ago, sky high prices of medicine and stents, now they are several notches less.

4 years ago, inflation in double digits, now under 5%. Prices of pulses and vegetables fall.

4 years ago, 17 different indirect taxes, now just GST.
3-7
4 years our economy was in fragile 5 group now it's in BAA3.

4 years ago in ease of doing business we were at 160 rank now one of the top performer it's 99.

4 years ago, Real Estate builders had Manmani, now they are bound to deliver project before deadline under RERA.
Read 7 tweets
Profile picture
Years ago I worked in advertising, & our graphic designer was outsourced. I worked with her for 2 years by phone & email & on my last day, out of curiousity, I asked what she thought I looked like.

She said skinny & short, with straight mousy brown hair, freckles & glasses.
She herself was Russian.

I sent her a photo of me sitting at my desk, and she immediately rang me up and just kept saying "You surprised me. You surprised me," over and over in this heavy Russian accent, like she was in total shock.

The whole office was in stitches.
And then another time, when I worked in telemarketing, I upsold this guy a $3500 back-to-base monitored alarm system for his home because he was scared of 'the black people coming into our country.'

I had him on speaker, while we had a lovely chat about how bad black people are.
Read 6 tweets

Trending hashtags

#BharatTrustModi #BirthrightCitizenship #NewIndiaNewMomentum #TrumpRussia #BharatTrustsModi #learningoutsidetheclassroom #TheDragonsDen #TickTock #data #OpChildSafety #14Amendment #ToriStafford #abolishICE #conspiracy #GDPR #AI #MAGA #Russia #identity #Data #Centralisation #CdnPoli #MSExcel #SSRP #SaafNiyatSahiVikas

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!