SlideShare ist ein Scribd-Unternehmen logo

Vulnerability Databases: sifting thousands tons of verbal ore

Als PPTX, PDF herunterladen
Alexander Leonov
Alexander Leonov

I'm talking about the problems related to vulnerabilities: incorrect vulnerability descriptions in the Vulnerability Databases, incomplete Knowledge Bases of Vulnerability Scanners, imperfect detection methods, differences between ideal and real-life Vulnerability Management processes.

Software
1 von 41
Vulnerability Databases: sifting thousands tons of verbal ore May, 2018
2 #whoami Alexander Leonov Lead security analyst at 6+ years at Vulnerability Management vendor Security Automation Blog at avleonov.com
Problems 3 Poorly described vulnerabilities in Vulnerability Databases Incomplete Knowledge Bases of Vulnerability Scanners Imperfections in Vulnerability Detection mechanisms Declared and real-life Vulnerability Management processes
Public Vulnerability Databases 4 Each vulnerability in each product One vulnerability - one ID Vulnerabilities in some / their own products There may be entities "multiple vulnerabilities in product N", usually fixed by single patch RHSACVE DSA Individual Vulnerabilities Security Bulletins
Commercial Vulnerability Scanners and Aggregators Public Vulnerability Databases 5 Individual Vulnerabilities BDU Fstec JVN Security Bulletins KB, MS USNCESA Government RHSA DSA MFSA All software in repository Open and formalized detection rules
Databases of Individual Vulnerabilities 6 Full coverage Trash Incomplete coverage Only critical Bug Feature Vulnerability
Everything is linked by CVE 7 CVSS, CPE Vendor’s Bug Exploit DBs Media Advisory id remediation strategy CERTs … … …
How to evaluate criticality? 8 CVSS (Common Vulnerability Scoring System) CWE (Common Weakness Enumeration) Textual description of the vulnerability Links to exploits Links to malicious software Exploitability flags in Vulnerability Scan reports
Vulnerabilities in NVD 9 Id Date CVSS Description
10 Link Link type CWE CPE Vulnerabilities in NVD
11 CVSS vector Publicly available Unavailable and constantly changing It is necessary to evaluate it by yourself
12 CWE IDs in NVD
13 Interesting CWE IDs CWE-94 'Code Injection' CWE-95 'Eval Injection' CWE-400 'Resource Exhaustion'
14 CWE is used in a strange way CWE Name Amount CWE-119 Buffer Errors 9516 CWE-79 Cross-Site Scripting (XSS) 7920 CWE-264 Permissions, Privileges, and Access Control 6021 CWE-20 Input Validation 4896 CWE-89 SQL Injection 4552 CWE-200 Information Leak / Disclosure 4196
15 CWE is used in a strange way It is better to analyze the description
16 CPE is good when it was set correctly
CPE statistics. What does it show? Anything? 17 Top 20 Products By Total Number Of Vulnerabilities in NVD • Poorly written software? • Popular products that are more often analyzed? • Products of some responsible vendor who lists all vulnerabilities publicly? …
CPE statistics. What does it show? Anything? 18 Top 20 Vendors By Total Number Of Vulnerabilities in NVD • Poorly written software? • Popular products that are more often analyzed? • Products of some responsible vendor who lists all vulnerabilities publicly? …
19 Information about vulnerability comes from the vendor https://securityadvisories.paloaltonetworks.com/Home/Detail/94 https://bdu.fstec.ru/vul/2017-02120
20 Information about vulnerability comes from the vendor https://securityadvisories.paloaltonetworks.com/Home/Detail/91 https://bdu.fstec.ru/vul/2017-02237
21 Certificate cancellation Банк данных угроз безопасности информации https://fstec.ru/en/napisat-razrabotchiku/64-normotvorcheskaya/informatsionnye-i-analiticheskie- materialy/1516-informatsionnoe-soobshchenie-fstek-rossii-ot-1-fevralya-2018-g-n-240-24-554 …
22 “Упомянутые сертификаты 2012 года кончаются в апреле 2018 года. Они настолько старые, что относятся к устройствам, которые уже даже не выпускаются: 2000 и 4000 серия, ну и версия операционной системы уже далеко не 4.0, а 8.0.” “Чтобы продлить эти сертификаты нужно было снова показать исходный код, а делать это для сертификатов которые кончаются через 2 месяца - неэффективно. Поэтому офис Palo Alto Networks сконцентрирован на получении новых сертификатов на новые устройства и на новую операционную систему.” https://www.securitylab.ru/blog/personal/Morning/343440.php# Certificate cancellation
From Vulnerability Database to Vulnerability Scanner 23 Vulnerability Base advisories exploits metrics + Detection Rules & Plugins + Transports Vulnerability Scanner CVSS, CPE Vendor’s Bug Exploit DBs Media Advisory id remediation strategy CERTs … … … parsers
Typical Vulnerability Scanner 24 IPs Task Results Tasks Reports Dynamics
25 Vulnerability Detection Asset Service Vulnerability Hostname / IP cpe:/a:drupal:drupal:7.32 CVE-2018-7600 Data Gathering Assessment Version-based • Without authorization (service banners) Backported patches =(
26 Asset Service Vulnerability Hostname / IP Drupal7-7.32-1+deb8u10 DSA-4156, CVE-2018-7600 Data Gathering Assessment Version-based • With authorization (packages, registry, files) Need credentials or agent =( You need to trust the scanner =( Vulnerability Detection
27 Something is already working asset_id == 'asset_98UNJ4K' | type == 'vulnerability' | bulletinFamily == 'NVD' Search queries inspired by Splunk (or Bash):
28 With exploitation attempt Not for all vulnerabilities it can be done =( It's hard to do =( Potentially dangerous =( Vulnerability Detection
29 Are all Vulnerability Scanners the same? A Platforms (OSes) x B Software Vendors making products for Platform x C Products made by each Software Vendor x D Vulnerabilities in each Product x E Vulnerability detection methods (authenticated and unauthenticated) Knowledge Base of Vulnerability Scanner
30 CVE-based comparison *based on data ALL CVEs in NVD: 104794 2018 CVEs in NVD: 2373
31 Exploitability flags
32https://blog.qualys.com/news/2018/02/27/recline-on-the-qualys-couch-examining-patching-behavior Recline on the Qualys Couch: Examining Patching Behavior Real Vulnerability Management processes
33 Tragicomedy of Chip Apocalypse Spectre CVE-2017-5753 CVE-2017-5715 Meltdown CVE-2017-5754 January 03, 2018 Vulnerabilities became public
34 January 03-04, 2018 VM vendors: update immediately Tragicomedy of Chip Apocalypse
35 January 09, 2018 Microsoft: Windows7 Blue screen after KB4056894 Tragicomedy of Chip Apocalypse
36 January 10, 2018 Ubuntu: Kernel doesn’t boot Tragicomedy of Chip Apocalypse
37 January 23, 2018 Intel: don't use our patches Tragicomedy of Chip Apocalypse
38 March 29, 2018 Microsoft: patches created even more critical vulnerability Spectre CVE-2017-5753 CVE-2017-5715 Base Score:7.3, 6.5* Meltdown CVE-2017-5754 Base Score: 5.6* Windows 7 or Server 2008 R2 + applied Microsoft's Meltdown patches => CVE-2018-1038 "Windows Kernel Elevation of Privilege Vulnerability." (Base Score: 7.8*) * CVSS v.3 xforce.ibmcloud.com … Tragicomedy of Chip Apocalypse. Stay tuned.
39 April 05, 2018 Intel: we won’t patch some of its older processors against Meltdown and Spectre Tragicomedy of Chip Apocalypse. Stay tuned.
What should we do with this all? 40 Use multiple sources of data about Vulnerabilities, Exploits and Malware Use multiple Vulnerability Scanners (don’t rely on them too much) Use various methods of Vulnerability Detection Develop of your own tools
Questions? me@avleonov.com 41 Thanks for your attention!

Empfohlen

CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueAlexander Leonov
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...Alexander Leonov
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comAlexander Leonov
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Alexander Leonov
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singaporen|u - The Open Security Community
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 

Empfohlen

CyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueCyberCentral Summit 2018 in Prague
CyberCentral Summit 2018 in PragueAlexander Leonov
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...Alexander Leonov
 
Vulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comVulnerability Intelligence and Assessment with vulners.com
Vulnerability Intelligence and Assessment with vulners.comAlexander Leonov
 
Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Enterprise Vulnerability Management - ZeroNights16
Enterprise Vulnerability Management - ZeroNights16Alexander Leonov
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source SecuritySander Temme
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singaporen|u - The Open Security Community
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgileNetwork
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party librariesn|u - The Open Security Community
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1TECHNOLOGY CONTROL CO.
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentationTarek Amer
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Neelu Tripathy
 
edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?Ramin Farajpour Cami
 

Weitere ähnliche Inhalte

Was ist angesagt?

Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open SourcePOSSCON
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat Security Conference
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10OWASP
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to AdversariesDerek E. Weeks
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgileNetwork
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat Security Conference
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020OWASP
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentationTarek Amer
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection Abhishek Singh
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Neelu Tripathy
 

Was ist angesagt? (20)

Cyber Security and Open Source
Cyber Security and Open SourceCyber Security and Open Source
Cyber Security and Open Source
 
BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole BlueHat v17 || Down the Open Source Software Rabbit Hole
BlueHat v17 || Down the Open Source Software Rabbit Hole
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries7 Reasons Your Applications are Attractive to Adversaries
7 Reasons Your Applications are Attractive to Adversaries
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh ShregillAgile Network India | DevSecOps - The What and the Why | Ritesh Shregill
Agile Network India | DevSecOps - The What and the Why | Ritesh Shregill
 
Managing third party libraries
Managing third party librariesManaging third party libraries
Managing third party libraries
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
BlueHat v17 || Wannacrypt + Smbv1.0 Vulnerability = One of the Most Damaging ...
 
Vulnerability Management V0.1
Vulnerability Management V0.1Vulnerability Management V0.1
Vulnerability Management V0.1
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Kaspersky Security center 10 documentation
Kaspersky Security center 10 documentationKaspersky Security center 10 documentation
Kaspersky Security center 10 documentation
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
Web Intrusion Detection
Web Intrusion Detection Web Intrusion Detection
Web Intrusion Detection
 
Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0Security Testing ModernApps_v1.0
Security Testing ModernApps_v1.0
 

Ähnlich wie Vulnerability Databases: sifting thousands tons of verbal ore

edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) Eoin Keary
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsTim Mackey
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureNRC
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryTim Mackey
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Protect Against 85% of Cyberattacks
Protect Against 85% of CyberattacksProtect Against 85% of Cyberattacks
Protect Against 85% of CyberattacksIvanti
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceTieu Luu
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 
World best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious linkWorld best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious link임채호 박사님
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability AssesmentDedi Dwianto
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci complianceShiva Hullavarad
 

Ähnlich wie Vulnerability Databases: sifting thousands tons of verbal ore (20)

edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018) edgescan vulnerability stats report (2018)
edgescan vulnerability stats report (2018)
 
How to assign a CVE to yourself?
How to assign a CVE to yourself?How to assign a CVE to yourself?
How to assign a CVE to yourself?
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
Security in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptionsSecurity in the age of open source - Myths and misperceptions
Security in the age of open source - Myths and misperceptions
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Protect Against 85% of Cyberattacks
Protect Against 85% of CyberattacksProtect Against 85% of Cyberattacks
Protect Against 85% of Cyberattacks
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber Intelligence
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 
World best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious linkWorld best web apps security and Active detection of malicious link
World best web apps security and Active detection of malicious link
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 
Monitoring threats for pci compliance
Monitoring threats for pci complianceMonitoring threats for pci compliance
Monitoring threats for pci compliance
 

Kürzlich hochgeladen

Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 

Kürzlich hochgeladen (20)

Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 

Vulnerability Databases: sifting thousands tons of verbal ore

  • 1. Vulnerability Databases: sifting thousands tons of verbal ore May, 2018
  • 2. 2 #whoami Alexander Leonov Lead security analyst at 6+ years at Vulnerability Management vendor Security Automation Blog at avleonov.com
  • 3. Problems 3 Poorly described vulnerabilities in Vulnerability Databases Incomplete Knowledge Bases of Vulnerability Scanners Imperfections in Vulnerability Detection mechanisms Declared and real-life Vulnerability Management processes
  • 4. Public Vulnerability Databases 4 Each vulnerability in each product One vulnerability - one ID Vulnerabilities in some / their own products There may be entities "multiple vulnerabilities in product N", usually fixed by single patch RHSACVE DSA Individual Vulnerabilities Security Bulletins
  • 5. Commercial Vulnerability Scanners and Aggregators Public Vulnerability Databases 5 Individual Vulnerabilities BDU Fstec JVN Security Bulletins KB, MS USNCESA Government RHSA DSA MFSA All software in repository Open and formalized detection rules
  • 6. Databases of Individual Vulnerabilities 6 Full coverage Trash Incomplete coverage Only critical Bug Feature Vulnerability
  • 7. Everything is linked by CVE 7 CVSS, CPE Vendor’s Bug Exploit DBs Media Advisory id remediation strategy CERTs … … …
  • 8. How to evaluate criticality? 8 CVSS (Common Vulnerability Scoring System) CWE (Common Weakness Enumeration) Textual description of the vulnerability Links to exploits Links to malicious software Exploitability flags in Vulnerability Scan reports
  • 11. 11 CVSS vector Publicly available Unavailable and constantly changing It is necessary to evaluate it by yourself
  • 13. 13 Interesting CWE IDs CWE-94 'Code Injection' CWE-95 'Eval Injection' CWE-400 'Resource Exhaustion'
  • 14. 14 CWE is used in a strange way CWE Name Amount CWE-119 Buffer Errors 9516 CWE-79 Cross-Site Scripting (XSS) 7920 CWE-264 Permissions, Privileges, and Access Control 6021 CWE-20 Input Validation 4896 CWE-89 SQL Injection 4552 CWE-200 Information Leak / Disclosure 4196
  • 15. 15 CWE is used in a strange way It is better to analyze the description
  • 16. 16 CPE is good when it was set correctly
  • 17. CPE statistics. What does it show? Anything? 17 Top 20 Products By Total Number Of Vulnerabilities in NVD • Poorly written software? • Popular products that are more often analyzed? • Products of some responsible vendor who lists all vulnerabilities publicly? …
  • 18. CPE statistics. What does it show? Anything? 18 Top 20 Vendors By Total Number Of Vulnerabilities in NVD • Poorly written software? • Popular products that are more often analyzed? • Products of some responsible vendor who lists all vulnerabilities publicly? …
  • 19. 19 Information about vulnerability comes from the vendor https://securityadvisories.paloaltonetworks.com/Home/Detail/94 https://bdu.fstec.ru/vul/2017-02120
  • 20. 20 Information about vulnerability comes from the vendor https://securityadvisories.paloaltonetworks.com/Home/Detail/91 https://bdu.fstec.ru/vul/2017-02237
  • 21. 21 Certificate cancellation Банк данных угроз безопасности информации https://fstec.ru/en/napisat-razrabotchiku/64-normotvorcheskaya/informatsionnye-i-analiticheskie- materialy/1516-informatsionnoe-soobshchenie-fstek-rossii-ot-1-fevralya-2018-g-n-240-24-554 …
  • 22. 22 “Упомянутые сертификаты 2012 года кончаются в апреле 2018 года. Они настолько старые, что относятся к устройствам, которые уже даже не выпускаются: 2000 и 4000 серия, ну и версия операционной системы уже далеко не 4.0, а 8.0.” “Чтобы продлить эти сертификаты нужно было снова показать исходный код, а делать это для сертификатов которые кончаются через 2 месяца - неэффективно. Поэтому офис Palo Alto Networks сконцентрирован на получении новых сертификатов на новые устройства и на новую операционную систему.” https://www.securitylab.ru/blog/personal/Morning/343440.php# Certificate cancellation
  • 23. From Vulnerability Database to Vulnerability Scanner 23 Vulnerability Base advisories exploits metrics + Detection Rules & Plugins + Transports Vulnerability Scanner CVSS, CPE Vendor’s Bug Exploit DBs Media Advisory id remediation strategy CERTs … … … parsers
  • 24. Typical Vulnerability Scanner 24 IPs Task Results Tasks Reports Dynamics
  • 25. 25 Vulnerability Detection Asset Service Vulnerability Hostname / IP cpe:/a:drupal:drupal:7.32 CVE-2018-7600 Data Gathering Assessment Version-based • Without authorization (service banners) Backported patches =(
  • 26. 26 Asset Service Vulnerability Hostname / IP Drupal7-7.32-1+deb8u10 DSA-4156, CVE-2018-7600 Data Gathering Assessment Version-based • With authorization (packages, registry, files) Need credentials or agent =( You need to trust the scanner =( Vulnerability Detection
  • 27. 27 Something is already working asset_id == 'asset_98UNJ4K' | type == 'vulnerability' | bulletinFamily == 'NVD' Search queries inspired by Splunk (or Bash):
  • 28. 28 With exploitation attempt Not for all vulnerabilities it can be done =( It's hard to do =( Potentially dangerous =( Vulnerability Detection
  • 29. 29 Are all Vulnerability Scanners the same? A Platforms (OSes) x B Software Vendors making products for Platform x C Products made by each Software Vendor x D Vulnerabilities in each Product x E Vulnerability detection methods (authenticated and unauthenticated) Knowledge Base of Vulnerability Scanner
  • 30. 30 CVE-based comparison *based on data ALL CVEs in NVD: 104794 2018 CVEs in NVD: 2373
  • 32. 32https://blog.qualys.com/news/2018/02/27/recline-on-the-qualys-couch-examining-patching-behavior Recline on the Qualys Couch: Examining Patching Behavior Real Vulnerability Management processes
  • 33. 33 Tragicomedy of Chip Apocalypse Spectre CVE-2017-5753 CVE-2017-5715 Meltdown CVE-2017-5754 January 03, 2018 Vulnerabilities became public
  • 34. 34 January 03-04, 2018 VM vendors: update immediately Tragicomedy of Chip Apocalypse
  • 35. 35 January 09, 2018 Microsoft: Windows7 Blue screen after KB4056894 Tragicomedy of Chip Apocalypse
  • 36. 36 January 10, 2018 Ubuntu: Kernel doesn’t boot Tragicomedy of Chip Apocalypse
  • 37. 37 January 23, 2018 Intel: don't use our patches Tragicomedy of Chip Apocalypse
  • 38. 38 March 29, 2018 Microsoft: patches created even more critical vulnerability Spectre CVE-2017-5753 CVE-2017-5715 Base Score:7.3, 6.5* Meltdown CVE-2017-5754 Base Score: 5.6* Windows 7 or Server 2008 R2 + applied Microsoft's Meltdown patches => CVE-2018-1038 "Windows Kernel Elevation of Privilege Vulnerability." (Base Score: 7.8*) * CVSS v.3 xforce.ibmcloud.com … Tragicomedy of Chip Apocalypse. Stay tuned.
  • 39. 39 April 05, 2018 Intel: we won’t patch some of its older processors against Meltdown and Spectre Tragicomedy of Chip Apocalypse. Stay tuned.
  • 40. What should we do with this all? 40 Use multiple sources of data about Vulnerabilities, Exploits and Malware Use multiple Vulnerability Scanners (don’t rely on them too much) Use various methods of Vulnerability Detection Develop of your own tools