Category Archives: Concept

My thoughts on the “2021 Gartner Market Guide for Vulnerability Assessment”. What about the quality?

The Gartner Vulnerability Management Reports are one of the few marketing reports that I try to read regularly. This started back in the days when I was working for a VM vendor doing competitive analysis. Gartner is one of the few organizations that think about Vulnerability Assessment and Vulnerability Management and clearly articulate where we are and where we are going.

I got a free reprint of “2021 Gartner Market Guide for Vulnerability Assessment” from the Tenable website. Thanks a lot to them for that.

Let’s start with what I liked:

  1. It’s great that Gartner has made vulnerability prioritization technology (VPT) a separate class of solutions, that do not detect vulnerabilities themselves, but work with them. For example, Kenna or my Vulristics. And it could be additional functionality like Tenable VPR.
  2. I liked the focus on EDR as a promising VM replacement. Especially, Microsoft solutions (Defender for Endpoint or as was mentioned in the report Microsoft’s Threat & Vulnerability Management, TVM).
  3. It’s nice that various areas related to Vulnerability Management have been mentioned: Pentest, Bug Bounty, Breach and Attack Simulation (BAS).
  4. An interesting diagram that shows that VA is primarily about “Assess” and “Asset Management”, VPT is primarily about “Prioritize” and “Workflow Management”, BAS is primarily about “Compensate” and “Security Controls”.

Now what I didn’t like. I have one pain point – the quality of the scanning. And here, on the one hand, something was said, but on the other, it was not enough and not as definite as I would like. Market Direction is the most interesting section of the document. And it was the most painful to read.

Continue reading

Add new features to Notepad++ using Python scripts: keyboard shortcut to insert current time

I have to say, I spend a lot of time daily in Notepad++ text editor for Windows. I keep my “logbook” there. I record what I am doing now and what needs to be done. This allows me not to keep everything in my head and switch the context more efficiently. I can recommend this to everyone. And it is especially useful to note when you started working on a task and when you finished. This gives an understanding of what actually takes your time. I’m not a fan of very strict and formal techniques such as pomodoro, but using some form of time management is good.

Add new features to Notepad++ using Python scripts: keyboard shortcut to insert current time

Recording timestamps manually is inconvenient. It would be much easier to press a key combination and automatically insert the current timestamp into the document. It turned out that this is possible, and even more – you can get the results of any Python script this way!

Continue reading

Is Vulnerability Management more about Vulnerabilities or Management?

I’ve just read a nice article about Vulnerability Management in the Acribia blog (in Russian). An extract and my comments below.

In the most cases Vulnerability Management is not about Vulnerabilities, but about Management. Just filtering the most critical vulnerabilities is not enough.

Practical Cases:

  1. “Oh, yes, we know ourselves that that everything is bad!” – CVE-2013−4786 IPMI password hash disclosure on > 500 servers. Customer just accepted the risks, Acribia proposed an effective workaround (unbrutable user IDs and passwords). It’s often hard to figure out right remediation measures and implement them. Someone should do it!
  2. “We can download OpenVAS without your help!” – CVE-2018-0171 Cisco Smart Install RCE on 350 hosts. Vulnerability detection rules of several Vulnerability Scanners were not good enough to detect this vulnerability. Do not rely on scanners, know how they work and their limitations.
  3. “If the attackers wanted to hack us, they would have already done it!” – CVE-2017-0144 (MS17-010) Windows SMB RCE on domain controller and several other critical servers. Vulnerability was detected in infrastructure several times, the remediation was agreed with the management, but it was ignored by responsible IT guys. As a result, during the next successful WannaCry-like malware attack the servers, including the DC were destroyed. Vulnerability Management is about the willingness to patch anything, very quickly, as often as required. Otherwise, it makes no sense.

The first Zbrunk dashboard and other news

The long New Year holiday season in Russia was not in vain. I had time to work on Zbrunk. 😉 As you can see, I made my first dashboard and added other features.

The first Zbrunk dashboard

No more timestamps in code

I added functions to get Unix timestamps from lines in human-readable time format, e.g. “2019.12.10 13:00:00”.

Instead of a date, you can use words:

  • Today
  • Yesterday
  • N days ago
  • Beginning of Time
  • End of Time

API requests will continue to support only Unix timestamps.

Continue reading

Zbrunk search launcher and event types statistics

I also changed the priorities. Now I think it would be better not to integrate with Grafana, but to create own dashboards and GUI. And to begin with, I created a simple interface for Searching (and Deleting) events.

upd. 16.12.2019

A small update on Zbrunk. First of all, I created a new API call that returns a list of object types in the database and number of this types for a certain period of time. Without it, debugging was rather inconvenient.

$ curl -k -d '{"get_types":"True", "search": {"time":{"from":"1471613579","to":"1471613580"}}, "output_mode": "json", "max_count":"10000000", "auth_token":"8DEE8A67-7700-4BA7-8CBF-4B917CE23512"}'

{"results": ["test_event"], "results_count": 1, "all_results_count": 0, "text": "Types found", "code": 0}

I also added some examples of working with Zbrunk http API from python3. Rewriting them from pure curl was not so trivial. ? Flask is rather moody, so I had to abandon the idea of making requests exactly the same as in Splunk. ? But the differences are cosmetic. It is now assumed that events will be passed to collector in valid json (not as a file with json events separated by ‘\n’). I also send all params of requests as json, not data. But for the compatibility reasons previous curl examples will also work. ?

CentOS 8 with IceWM Desktop Environment

Do you need CentOS 8 with IceWM as desktop Operating System? Most likely not. Especially if you want it to work smoothly without any worries and troubles. However, if you enjoy playing with new desktop environments, you might find it fun.

CentOS 8 with IceWM desktop environment

My reasons were as follows:

  1. I wanted to use the same Linux distribution for server and desktop. Just to minimize possible surprises during the deployment.
  2. I wanted to know what is going on in the RPM-based part of Linux world. The only way to achieve this is to use such distribution every day.
  3. I was tired of problems with the Virtual Box guest additions in CentOS 7 (yes , I run it all as a virtual machine), especially after the 3.10 kernel updates. It was time to move on.
  4. I didn’t want to use Gnome 3, because it’s slow and ugly (however it’s fully functional!). And there were no other DEs in CentOS 8 repositories at that time.

So, I tried CentOS 8 with IceWM (installed it from source) and it worked. IceWM is small, very fast, ascetic, and in some ways quite intuitive. There were some problems with the clipboard (in xTerm and with VBox shared clipboard) and with language switching, but I figured it out and I think that I would probably continue to use it. Below are some notes on how I installed it and resolved the issues.

Continue reading

Barapass console Password Manager

I decided to publish my simple console Password Manager. I called it barapass (github). I’ve been using It for quite some time in Linux and in Windows (in WSL). Probably it will also work natively in Windows and MacOS with minimal fixes, but I haven’t tried it yet.

Barapass logo

Why do people use password managers?

Well, with password manager it’s possible to avoid remembering passwords and make them arbitrarily complex and long. And no one will be able to brute force them. Of course, you can simply store passwords in text files, but password managers are better than this because:

  • no one will see your password over your shoulder;
  • if an attacker gains access to the files on your host, it won’t possible to read your passwords from the encrypted file or storage (well, ideally);
  • it’s easier to search for objects in the password manager and copy values from it.

I wanted something as simple as editing a text file with the key-value content. And I wanted it to be stored in a secure manner, and security could be easily checked, “simple and stupid”.

Continue reading