Hello everyone, what kind of testing do you think is necessary in the case of cyber vulnerabilities such as 4jlog? What would be the test strategy here?
Hi,
I would use OWASP dependency check in a pipeline and the code developers should familar with e.g. Contrast CodeSec Developer Security.
Both tools looking from a SAST point of view on code with the knowledge of already CVEs existing in the wild. I would always use two tools because not one fits it all.
Yours,
Jogi
To add to the above, you can have a rapid7 scanning all your hardware and systems.
As Jogi said, you can use a dependency checker such as Snyk do some SAST & DAST. Besides that, you can always run an active scan using ZAP or BurpSuite (or any other tool) which now have standard (or via plugin) log4j payloads in it.
Knowledge of all CVEs is impossible, but actively looking at zero-days is recommended. Even following social media of such frameworks like Snyk, which will actively post about it and people will create awareness around it.
What you can also do is a bit more whiteboxed, you know what systems and version that you use, use that knowledge to go to the exploit.db search for your versions and see what vulnerabilities there are for you, then manual try to exploit them or just report them to your team.