One Article Review
| Source |  GoogleSec |
|---|---|
| Identifiant | 4593796 |
| Date de publication | 2021-12-16 17:28:18 (vue: 2022-05-13 21:47:30) |
| Titre | Improving OSS-Fuzz and Jazzer to catch Log4Shell |
| Texte | Posted by Jonathan Metzman, Google Open Source Security TeamThe discovery of the Log4Shell vulnerability has set the internet on fire. Similar to shellshock and heartbleed, Log4Shell is just the latest catastrophic vulnerability in software that runs the internet. Our mission as the Google Open Source Security Team is to secure the open source libraries the world depends on, such as Log4j. One of our capabilities in this space is OSS-Fuzz, a free fuzzing service that is used by over 500 critical open source projects and has found more than 7,000 vulnerabilities in its lifetime. We want to empower open source developers to secure their code on their own. Over the next year we will work on better automated detection of non-memory corruption vulnerabilities such as Log4Shell. We have started this work by partnering with the security company Code Intelligence to provide continuous fuzzing for Log4j, as part of OSS-Fuzz. Also as part of this partnership, Code-Intelligence improved their Jazzer fuzzing engine to make it capable of detecting remote JNDI lookups. We have awarded Code Intelligence $25,000 for this effort and will continue to work with them on securing the open source ecosystem. Caption: OSS-Fuzz and Jazzer finding the Log4Shell VulnerabilityVulnerabilities like Log4Shell are an eye-opener for the industry in terms of new attack vectors. With OSS-Fuzz and Jazzer, we can now detect this class of vulnerability so that they can be fixed before they become a problem in production code.Over the past year we have made a number of investments to strengthen the security of critical open source projects, and recently announced our $10 billion commitment to cybersecurity defense including $100 million to support third-party foundations that manage open source security priorities and help fix vulnerabilities.We appreciate the maintainers, security engineers and incident responders that are working to mitigate Log4j and make our internet ecosystem safer. Check out our documentation to get started using OSS-Fuzz. |
| Envoyé | Oui |
| Condensat | $10 $100 $25 000 500 also announced appreciate are attack automated awarded become before better billion can capabilities capable caption: catastrophic catch check class code commitment company continue continuous corruption critical cybersecurity defense depends detect detecting detection developers discovery documentation ecosystem effort empower engine engineers eye finding fire fix fixed found foundations free fuzz fuzzing get google has have heartbleed help improved improving incident including industry intelligence internet investments its jazzer jndi jonathan just latest libraries lifetime like log4j log4shell lookups made maintainers make manage memory metzman million mission mitigate more new next non now number one open opener oss out over own part partnering partnership party past posted priorities problem production projects provide recently remote responders runs safer secure securing security service set shellshock similar software source space started strengthen such support team teamthe terms than them third used using vectors vulnerabilities vulnerability vulnerabilityvulnerabilities want will work working world year |
| Tags | Vulnerability |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.