It’s time to write about Positive Hack Days 8: Digital Bet conference, which was held May 15-16 at the Moscow World Trade Center. It was the main Russian Information Security event of the first half of 2018. More than 4 thousand people attended! More than 50 reports, master classes and round tables held in 7 parallel streams. And, of course, impressive CTF contest for security experts and hackers with an fully-functioning model of the city.

I was very pleased that there was a separate section dedicated to Vulnerability Management. Something similar happened only at ISACA meetup last year. But here we had an event for several thousand people!

The session was held in Fast Track format: 20 minutes for the presentation and questions. I was the first to speak. My report was called “Vulnerability Databases: sifting thousands tons of verbal ore”. Here is the video:

And here’s a link to the version with only Russian sound track.

Slides at Slideshare:

I was talking about different Vulnerability Bases (see “Vulnerability Databases: Classification and Registry“), criticized how vulnerabilities are described in the National Vulnerability Database (CVSS, CWE, CPE). I mentioned last year’s case with Palo Alto and Russian Vulnerability Database BDU Fstec, when the vendor suffered for its own honesty.

Then I described how a vulnerability scanner (for example, my scanner Vulchain) detects vulnerabilities and why detection methods are imperfect.

Finally, I talked about the processes: how Patch and Vulnerability Management works in the real-life companies (used Qualys data for MS17-010) and why sometimes it’s better to do nothing than to follow all VM vendor’s recommendations (Spectre and Meltdown case).

By the way, I made English voice-over (dubbing) for this video using my own Python scripts and some third-party Text To Speech (TTS) service. Not so bad, right? 🙂 I was in a pleasant shock how TTS engines have progressed in recent years.

So if you need to convert subtitles into audio track and to translate your videos into any language in such way, feel free to contact me@avleonov.com 😉

Other reports in our session were also very interesting:

• Mikhail Parfenov spoke about “Vulnerability management in a large infrastructure”. He shared the experience in implementation and automation of the vulnerability management process in his company. A very interesting part was about the documents they developed for the Vulnerability Management process.
• Mikhail Aksenov presented a platform designed to combine tools and methods for perimeter monitoring. His report was called “Gathering scanners under one roof”. He told in detail about the problems of scanner orchestration. Rostelecom is going to make this platform open source, so I think testing this engine will be quite interesting.
• Emil Altynbaev in the report “To SIEM or not to SIEM” shared his experience in using an alternative approach (without SIEM) for information security event monitoring and incident response.

The entertainment program this year was great. Positive Technologies organized “Positive Hard Days” (rus) music festival and contest. It’s very cool that some of the groups performed songs related to IT Security culture. For example “I love my computer” by Bad Religion.

Dear organizers, if you are going to repeat this, can you make a special nomination for songs about IT Security? Like the song nomination in Pwnie Awards. I think it might be awesome. 😉

In conclusion

Many thanks to the organizers for a separate session about Vulnerability Management. I hope next year we will repeat this session in even bigger scale. It’s a bit pity that this year’s presentations in the Seliger hall were not translated into English. Simultaneous interpretation is pretty expensive, but still. 🙂 However, video recording was as always top-notch. Thanks for the event!

Alexander Leonov

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.