It’s the first part of our talk with Daniil Svetlov at his radio show “Safe Environment” (or “Safe Wednesday” – kind of wordplay in Russian) recorded 29.03.2017. We were discussing why Software Vulnerabilities are everyone’s problem. Full video in Russian without subtitles is available here.
I added manually transcribed Russian/English subtitles to the video:
Why vulnerabilities are dangerous for business and for ordinary people?
How vulnerabilities appear in programs?
How to write code safely?
What motivates vulnerability researchers?
Vulnerabilities as a first step in writing malicious software
We wanted to talk today about software vulnerabilities. Tell me, what is it all about, why are they dangerous for business, for ordinary people and what are the difficulties with their remediation.
Speaking about vulnerabilities, it’s probably worth to tell how they generally appear in programs.
Let’s say we have a company. This company is developing some software. Some programmers work in it. Programmers are also people who also make mistakes. And if some mistakes that are directly related to the functionality of this application, can be detected quite simply in the testing process…
Are you talking about functional testing?
Yes, it is about functional testing.
QA specialists can quickly find these vulnerabilities, or these problems, these bugs. Some problems can not be detected in such a simple way. For example, some problems related to security.
Why? Because the main task of the programmers: the program should work.
Today I want to talk today about privacy in a most natural sense. You probably have an internet-connected device with camera an microphone: smartphone, tablet, smart TV, ip camera, baby monitor, etc.
– Can it be used to record video/audio and spy on you?
– Of course, yes!
– Only government and device vendor has resources to do it?
– Not really
The sad truth is: most of internet-connected devices have security problems, and, unlike traditional desktops and servers, it’s much harder to patch them. Even if the vendor fixed the issue. The customers, average people, just don’t bother themselves to do it. Each week it’s become easier to access user data and even get full control over device. Hackers and pranksters may do it just for lulz, because they can.
Today I would like to write about a popular type of “security research” that really drives me crazy: when author takes public Vulnerability Base and, by analyzing it, makes different conclusions about software products or operating systems.
The article is based on Flexera/Secunia whitepaper. The main idea is that various security software products are insecure, because of amount of vulnerability IDs related to this software existing in Flexera Vulnerability Database. In fact, the whole article is just a listing of such “unsafe” products and vendors (IBM Security, AlienVault USM and OSSIM, Palo Alto, McAfee, Juniper, etc.) and the expert commentary: cybercriminals may use vulnerabilities in security products and avoid blocking their IP-address; customers should focus on the security of their proprietary code first of all, and then include security products in the protection scheme.
What can I say about these opuses of this kind?
They provide “good” practices for software vendors:
Hide information about vulnerabilities in your products
Westworld is a TV show about the problems of corporate Information Security. Really.
Look, Delos Corporation actively uses legacy code, which was written 30 years ago. No one has an idea of how it works and it can not be just thrown away. Bugs, critical vulnerabilities and even backdoors appeared in core of the hosts regularly. They couldn’t be fixed and patched. In most cases only some compensatory measures were applied. And they were not applied systematically.
17-18 November I was at the great event —Zero Nights security conference in Moscow. For the first time as a speaker. Being a part of such famous and prestigious security event was very exciting. There were three of us, Ekaterina Pukhareva, Alex Smirnoff and me, and only 20 minutes available for all. I was talking mainly about VM solution problems and custom reporting/ticketing, Ekaterina shared some experience in using Tenable SecurityCenter for Vulnerability and Compliance management, and Alex was talking mainly about Asset and Risk Management.
Presentation was recorded and some time later video will be available on YouTube. However, I suppose audio will be only in Russian not earlier than February 2017. So I think it will be a much more useful to share some points of the presentation right now. Lucky here I don’t have any time restrictions. =)
The first thing to say about Vulnerability Scanners and Vulnerability Management product is that there are plenty of them. On this picture I mentioned some of the products/vendors.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at email@example.com or contact me any other way.