Monthly Archives: April 2021

AM Live Vulnerability Management Conference Part 2: What was I talking about there

Hello all! It is the second part about AM Live Vulnerability Management conference. In the first part I made the timecodes for the 2 hours video in Russian. Here I have combined all my lines into one text.

What is Vulnerability Management?

Vulnerability Management process is the opposite of the admin’s saying “If it works – don’t touch it!”. The main idea of this process is to somehow fix the vulnerabilities. How do you achieve this is not so important. Maybe you will have a nice Plan-Do-Check-Act process and strict policies. Maybe not. The main thing is that you fix vulnerabilities! And the main problem is to negotiate this regular patching with system administrators and service owners.

Continue reading

AM Live Vulnerability Management Conference Part 1: Full video in Russian + Timecodes in English

Hello all! 2 weeks ago I participated in the best online event fully dedicated to Vulnerability Management in Russia. It was super fun and exciting. Thanks to all the colleagues and especially to Lev Paley for the great moderation! I have talked out completely. Everything I wanted and the way I wanted. It seems that not a single hot topic was missed.

AM LIve: Vulnerability Management conference

You can see the two hours video below. It is in Russian. And it’s pretty complicated to translate it all. I won’t event try. ? If you don’t understand Russian you can try auto-generated and auto-translated subtitles on YouTube, but the quality is far from ideal.

To give you the idea what we were talking about I added the timecodes in English.

Timecodes

Section 1. Vulnerability Management Process and Solutions

  • 5:18 Vulnerability Management Process Definition
  • 10:53 Vulnerability Management is the opposite of the admin’s saying “If it works – don’t touch it!” The main thing in the process is to somehow fix the vulnerabilities. (Leonov)
  • 12:30 Sometimes a basic vulnerability scanner and Jira is already a Vulnerability Management solution (Leonov)
  • 13:30 Difference between Vulnerability Management Solutions and Vulnerability Scanners
  • 17:09 Vulnerability Management and Vulnerability Scanners: in our restaurant we call rusks “croutons”, because a rusk cannot cost $8, but crouton can” (Leonov)
  • 23:00 Licensing schemes, delivery options and costs
  • 28:48 Module-based licensing and the situations when modules can be excluded from the subscription (Paley)
  • 30:24 Commercial Vulnerability Management solutions are expensive, especially when licensed per host (Leonov)
  • 31:00 Maxpatrol unlimited licenses (Bengin)
  • 34:08 Perimeter scanning: very critical, low reliability of banner-based detections, it’s better to assess hosts accessible from the Internet with internal authenticated scans. Criticality of the network as an element of scoring. (Leonov)
  • 36:50 The impact of Regulators on the Vulnerability Management Market, a free ScanOVAL tool
  • 39:10 What to do with vulnerabilities in local software products that are not supported by foreign VM vendors?
  • 44:00 When it’s enough to use a free scanner? Could there be a full-functional and free vulnerability scanner? In theory, yes, but it is not clear how the vendor will finance the maintenance of the knowledge base. In practice, we see how such stories collapse. You need to understand the limitations of free products (such as OpenVAS). Including the completeness of the scan results and the ease of building the VM process. (Leonov)
  • 47:19 Poll: what is used in your organization?
Continue reading