Those were pretty well publicized CVEs when they were patched.
On the assumption that this data breach was caused by those CVEs (which I think were even publicized by the US CISO / NSA, how does the average website-hosting company find out about CVEs that apply to their stack in a timely manner? (note: I'm playing as devil's advocate, but would seriously like to hear realistic answers)
My answer is probably a bit cynical, but I believe it's accurate. The average when it comes to security and patching is pretty low, so on average, a hosting company probably doesn't find out about it, or patch it.
The majority of companies I've seen operations at didn't have people trawling the web looking for these kinds of issues. In theory you can sign up to get CVE notifications, and hopefully the software vendor will put a message on a mailing list. Whether anyone subscribed to that list is another question, and whether anyone reacts to it is another matter.
The challenge for most orgs I've seen would be even determining what tools (and versions) they need to keep on top of updates for. In a case like Salt however, I imagine short of being on their list (if they have one), most people's best hope is that one of their team sits on hacker news all day, and monitors relevant security resources, and knows salt is used.
Even big CAs don't get it right - the Salt attack was used against one of the certificate transparency servers. Clearly there's a gap between the theory and practice here.
thephyber|5 years ago
On the assumption that this data breach was caused by those CVEs (which I think were even publicized by the US CISO / NSA, how does the average website-hosting company find out about CVEs that apply to their stack in a timely manner? (note: I'm playing as devil's advocate, but would seriously like to hear realistic answers)
g_p|5 years ago
The majority of companies I've seen operations at didn't have people trawling the web looking for these kinds of issues. In theory you can sign up to get CVE notifications, and hopefully the software vendor will put a message on a mailing list. Whether anyone subscribed to that list is another question, and whether anyone reacts to it is another matter.
The challenge for most orgs I've seen would be even determining what tools (and versions) they need to keep on top of updates for. In a case like Salt however, I imagine short of being on their list (if they have one), most people's best hope is that one of their team sits on hacker news all day, and monitors relevant security resources, and knows salt is used.
Even big CAs don't get it right - the Salt attack was used against one of the certificate transparency servers. Clearly there's a gap between the theory and practice here.