Hello everyone! After a two-year break, I took part in Moscow CISO Forum 2022 with a small talk “Malicious open source: the cost of using someone else’s code”.

Alternative video link (for Russia): https://vk.com/video-149273431_456239084

CISO Forum is the first major Russian conference since the beginning of The New Reality of Information Security (TNRoIS). My presentation was just on this topic. How malicious commits in open source projects change development and operations processes. I will make a separate video about this (upd. added Malicious Open Source: the cost of using someone else’s code). In this episode, I would like to tell you a little about the conference itself.

The CISO Forum has always been sponsored by a large number of foreign vendors. This year there were only 2 foreign companies: Aqua Security from Israel and Senhasegura from Brazil. To some extent, it shows locations where there can be quite independent (and courageous) Information Security vendors. Although the main focus is now, of course, on Russian Information Security vendors.

As usual, I was primarily interested in solutions that can detect vulnerabilities. Even though there were no Tenable and Qualys this year, we talked even more about the Vulnerability Management-related issues. No need to say, that the refusal of western VM vendors (as well as other IT and security vendors) to fulfill their obligations defined a new reality of information security. Western vendors have shown themselves to be extremely unreliable. They can instantly disable updates, block functionality, and even revoke licenses. It even seems that they not sell you a product, but a mean of control and pressure. My advice, if there is a possibility that US may impose sanctions on your country (which is quite real for half of the world), think seriously before buying a western solution. Especially if there are alternatives. But that’s a big topic for another episode. In any case, it is now obvious that Russian VM solutions will become absolutely dominant in the Russian market.

Among Russian solutions for detecting vulnerabilities, the obvious choice is the market leader Positive Technologies and their MaxPatrol VM and MaxPatrol 8. Other options are AltxSoft RedCheck and Echelon ScannerVS. Vulnerability detection is also part of Kaspersky Enterprise Security. The market is already quite competitive and this competition will increase.

Therefore, it was very nice to see a new Vulnerability Management solution at the CISO Forum – Vulns.io VM by Frodex. The solution will be deployed on-premises. It will be able to work with Linux and Windows hosts. The function of automatic patching is declared. It will be very interesting to test and compare. I believe the more variety the better for the end user.

I was also interested in a new solution for Compliance and Configuration Management announced by SPACE BIT. It’s called X-Config. It will be great to see this solution. It seems to me now there are not enough solutions of this type and they are not good enough.

Unfortunately, I was only at the conference in the afternoon, so I didn’t see most of the talks. From what I watched, I liked the presentation by Kirill Ilyin from Sber Auto the most. A very detailed talk on how to build an Application Security process in a company. He mentioned problems with open source and supply chain attacks, which I focused on in my talk.

I liked the event. There were a lot of interesting conversations, I outlined a lot of activities related to testing VM products and developing my own projects. Thanks a lot to the organizers! I hope to participate next year.