Monthly Archives: October 2016

Tenable doesn’t want to be Tenable anymore

“Neither Rapid7”. It’s from the interview of HD Moore, founder of the Metasploit and ex-CRO of Rapid7, that he recently gave to Paul Asadoorian, ex-Product Strategist Tenable, in the latest episode of “Startup Security Weekly”. It’s a great show, strongly recommend it, as well as “Enterprise Security Weekly” and others. See all subscription options available here.

VM Vendors Market

The most interesting part for me is 00:05:00 till 00:10:00. Talking about the best areas for security startups, HD Moore recommended to take a close look on cloud-based WAFs, like Signal Sciences, Cloudflare. It’s relatively easy to find customers for such projects. However it’s very expansive to build it up and investments are required.

HD Moore doesn’t see lot’s of folks building new content-based security products, such as Tenable, Rapid7, Metasploit. It makes him sad and me either. Instead of regular updates of security content and signatures, new companies rely more on things like machine learning. It’s a good start, but it won’t solve all the problems.

Continue reading

Processing Vulners collections using Python

Vulners collection is a zip archive containing all available objects of some type (e.g. CentOS security bulletins or OpenVAS detection plugins) from the Vulners Knowledge Base. Let’s see how to work with this data using powerful Python scripting language. You can read more about Vulners itself at “Vulners – Google for hacker“.

Vulners Collections and python

All collections are listed at https://vulners.com/#stats:

Vulners Stats

Note a gray icon with black arrow. Press it to download particular vulners collection.

OpenVAS collection link: https://vulners.com/api/v3/archive/collection/?type=openvas

If you need to get all objects for further analysis, you don’t need to make huge amount simmilar Search API requests. You just need to download one file. It’s takes less time and efforts and makes less load on Vulners service.
Continue reading

F-Secure API for scanning

This post will be about API of F-Secure Radar. API become a crucial feature when you have to scan a range of thousands hosts and you can’t just add it in one Vulnerability Scanning task. As I mentioned earlier in “F-Secure Radar Vulnerability Management solution” Vulnerability Scanning in Radar is for known active IPs only, for ranges – Discovery Scans. Basically, in F-Secure Radar there is always one vulnerability scan for one host. Unusual concept, but it have some advantages. And it’s quite convenient when you work with Radar via API.

So, my plan for this post is to get active IPs from discovery scan report, create vulnerability scans, run them and get reports. All using API.

To use API you need to get API key at “F-Secure Radar -> Settings -> My profile”.

F-Secure Radar API key

To check that API is working we may send a request:

GET /v1/Scans/Types HTTP/1.1
Host: api.radar.f-secure.com
Content-Type: application/json; charset=utf-8
UserName: radar_user@corporation.com
APIKey: JDOBH9MV24ZOENMS94QCO8QP

Continue reading

F-Secure Radar ticketing

I personally don’t use ticketing systems integrated in VM solutions. I think it’s hard to explain IT guys why they should use yet another ticketing system for patching tasks only additionally to their main Jira or whatever they use (see “Vulnerability scanners: a view from the vendor and end user side“).

But I assume that for some companies this feature may be useful or even critical.

Anyway, it’s always nice to see how the vendor works with vulnerability data to get some ideas for own ticketing procedures (see “VM Remediation using external task tracking systems“).

In F-Secure Radar you can create tickets at “Vulnerabilities” tabs. Here is the a whole list of detected vulnerabilities (filtered by CVSS > 8 by default).

F-Secure Ticketing

Continue reading

F-Secure Radar basic reporting

In previous post about Radar (“F-Secure Radar Vulnerability Management solution“) I was describing how to use it for authenticated and unauthenticated scanning both inside and outside of your network.

But what about the vulnerability reports?

To get vulnerability report you should open Reporting Tab. As you can see, Radar supports reports for single scan results and summary reports. I don’t actually a big fan of standard vulnerability summary reports, because in practice you will always need to change something in them, and it’s impossible in most cases.

F-Secure Radar reports

I have filtered only Linux OS scans using filter. You can also filter by friendly name (some id, that you can set manually), host name/ip , time of scanning, responsible person, severity level, scan group or even by scan tags.

Radar Filters

Continue reading