The linked Wyden letter makes for interesting reading too:
> "While it is likely that Amazon has known that its AWS product was vulnerable to SSRF attacks since the first high-profile demonstration by a security researcher in 2014, the company has certainly known since mid-2018 at the latest. In August of 2018, Amazon's security team was contacted by email by a cybersecurity expert, who recommended that Amazon adopt the same cybersecurity defense against SSRF already used by Google and Microsoft. A copy of that email is attached. Amazon failed to act on this third-party report and has not provided an explanation for its inaction."
We aren't going to see real change until vendors start facing consequences for their negligence. Yes the criminals who exploit these vulnerabilities should go to prison but there also needs to be consequences for companies that don't bother patching vulnerabilities when they know better.
https://ejj.io/blog/fixing-capital-one
The linked Wyden letter makes for interesting reading too:
> "While it is likely that Amazon has known that its AWS product was vulnerable to SSRF attacks since the first high-profile demonstration by a security researcher in 2014, the company has certainly known since mid-2018 at the latest. In August of 2018, Amazon's security team was contacted by email by a cybersecurity expert, who recommended that Amazon adopt the same cybersecurity defense against SSRF already used by Google and Microsoft. A copy of that email is attached. Amazon failed to act on this third-party report and has not provided an explanation for its inaction."