Vulnerability Management at Tinkoff Fintech School. In the last three weeks, I participated in Tinkoff Fintech School – educational program for university students. Together with my colleagues, we prepared a three-month practical Information Security course: 1 lecture per week with tests and home tasks.
Each lecture is given by a member of our security team, specialized in one of the following modules: Vulnerability Management, Application Security, Infrastructure Security, Network Security, Virtualization Security, Banking Systems Security, Blue & Red-teaming, etc.
The course is still ongoing, but my Vulnerability Management module is over. Therefore, I want to share my impressions and some statistics.
Tenable IO WAS Chrome Extension. In the comments of the previous post about Tenable IO WAS Fergus Cooney mentioned a new Google Chrome extension for Tenable IO WAS, that should help in configuring scan Authentication setting. You can install it in Chrome Web Store.
The idea is great. Authentication process in modern web applications is actually too complicated for Web Application Scanners. It is almost impossible to determine automatically which elements of the web interface should be clicked and where to enter the login and password. So it’s great that we can help scanner to do this with the Selenium script. And if Selenium IDE is somehow integrated into the scanner, it is even better. With Tenable.io Web Application Scanning Chrome extension you simply perform the authentication procedure in Chrome once manually, and the recorded script will be sent to Tenable IO WAS.
However, the actual implementation of this extension, IMHO, could be better.
Martian Vulnerability Chronicles. Well, there should have been an optimistic post about my vulnerability analysis & classification pet-project. Something like “blah-blah-blah the situation is pretty bad, tons of vulnerabilities and it’s not clear which of them can be used by attackers. BUT there is a way how to make it better using trivial automation“. And so on. It seems that it won’t be any time soon. ¯\_(ツ)_/¯
I’ve spent several weekends on making some code that takes vulnerability description and other related formalized data to “separate the wheat from the chaff”. And what I get doesn’t look like some universal solution at all.
Pretty frustrating, but still an interesting experience and great protection from being charmed by trendy and shiny “predictive prioritization”.
Literally, when you start analyzing this vulnerability-related stuff every your assumption becomes wrong:
that vulnerability description is good enough to get an idea how the vulnerability can be exploited (let’s discuss it in this post);
that CVSS characterizes the vulnerability somehow;
that the links to related objects (read: exploits) can be actually used for prioritization.
Actually, there is no reliable data that can be analyzed, trash is everywhere and everybody lies 😉
Let’s start from the vulnerability description. Great example is the last week critical Linux kernel vulnerability CVE-2019-8912.
First look at Tenable.io Web Application Scanner (WAS). When Tenable firstly announced Web Application Security scanner as a part of their new Tenable.io platform, it was quite intriguing. Certainly, they already had some WAS functionality before in Nessus. For example, path traversal check was pretty good. But this functionality was quite fragmental and barely manageable. How Tenable now write in their docs: “Nessus is incompatible with modern web applications that rely on Javascript and are built on HTML5”.
That’s why Nessus couldn’t be called fully functioning Web Application Scanning solution. However, Tenable.io WAS is a completely new story. The full description is available on official site. Here I will make a very fast review and give some comments.
How to make Email Bot service in Python. First of all, why you may want to use such service? Despite the fact that currently there are so many different channels of communication (including various messaging apps), Email is still a default and universal way to do it.
Literally every enterprise service supports email notifications, even if it’s integration capabilities are rather limited. So, with Email Bot you can automatically process such notifications.
Email is good, simple, reliable and familiar way to communicate with humans. Send an email – get response. Everyone can do it. So, email bot can make basic routine operations, like organizing the external meetings, pretty much like a human secretary.
It’s easier to code Email bot than any other interface, and the code can be reused for other communication channels, for example messaging apps.
I get email messages from IMAP server in python3 using easyimap module.
Who should protect you from Cyber Threats? The world is becoming increasingly dependent on information technologies.
Government. More and more states provide digital services for their citizens and rely complex information systems.
Business. There are no more companies that do not have IT infrastructure (on-premises or cloud). IT processes become the most valuable competitive advantages of the companies.
People. The number of active Internet users is steadily growing. People own a large number of connected devices: from desktops and smartphones to smart homes and cars. Electronic payments (bank cards, Apple pay, PayPal, etc.) replace cash and traditional banking tools.
All these information systems make our life easier and more efficient. They also create the need for a huge amount of various software. This software is developed by people. And people tend to make mistakes. Especially when security is not their priority (when speed is a priority, for example). These errors cause large number of vulnerabilities exploited by attackers.
Regularly, we can hear about exploitation cases that often lead to significant damage. Who should protect us from cyber threats and cybercrime?
No left boundary for Vulnerability Detection. It’s another common problem in nearly all Vulnerability Management products. In the post “What’s wrong with patch-based Vulnerability Management checks?” I wrote about the issues in plugin descriptions, now let’s see what can go wrong with the detection logic.
The problem is that Vulnerability Management vendors, in many cases, have no idea which versions of the Software were actually vulnerable.
OMG?! How this can be true? 🙂 Let’s take an example.
Each vulnerability at some points in time:
was implemented in the program code as a result of some mistake (intentional or not)
Let’s suppose that we have some Software A with released versions 1, 2 … 20.
Just before the release of version 10, some programmer made a mistake (bug) in the code and since the version 10 Software A has become critically vulnerable. Before the release of version 20, Software Vendor was informed about this vulnerability and some programmer fixed it in version 20. Then Software Vendor released a security bulletin: “Critical vulnerabilities in the Software A. You are not vulnerable if you have installed the latest version 20.”
And what does Vulnerability Management vendor? This vendor only sees this security bulletin. It is logical for him to decide that all versions of Software A starting from 1 are vulnerable. So, it will mark installed versions 1 … 9 of the Software A as vulnerable, even so actually they are NOT.
This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.
