Tag Archives: Altx-Soft

Vulnerability Databases: Classification and Registry

What publicly available Vulnerability Databases do we have? Well, I can only say that there are a lot of them and they are pretty different. Here I make an attempt to classify them.

It’s quite an ungrateful task. No matter how hard you try, the final result will be rather inaccurate and incomplete. I am sure someone will be complaining. But this is how I see it. ūüėȬ†If you want to add or change something feel free to make a comment bellow or email me@avleonov.com.

The main classifier, which I came up with:

  • There are individual vulnerability databases in which one identifier means one vulnerability. They try to cover all existing vulnerabilities.
  • And others are security bulletins. They cover vulnerabilities in a particular product or products. And they usually based on on patches. One patch may cover multiple vulnerabilities.

I made this diagram with some Vulnerability Databases. Note that I wanted to stay focused, so there are no exploit DBs, CERTs, lists of vulnerabilities detected by some researchers (CISCO Talos, PT Research, etc.), Media and Bug Bounty sites.

Vulnerability Databases classification

For these databases the descriptions of vulnerabilities are publicly available on the site (in html interface or downloadable data feed), or exist in a form of paid Vulnerability Intelligence service (for example, Flexera).

On one side there are databases of individual vulnerabilities, the most important is National Vulnerability Database. There are also Chinese, Japanese bases that can be derived from NVD or not.

On the other side we have security bulletins, for example RedHat Security Advisories.

And in the middle we have a Vulnerability Databases, for which it is not critical whether they have duplicated vulnerability IDs or not.

Continue reading

Vulnerability Management vendors and massive Malware attacks (following the Bad Rabbit)

After the latest Bad Rabbit ransomware attack all Top VM vendors Qualys, Tenable, Rapid7 wrote blog posts on this topic on the same day. Two days later Tripwire also published own¬† review. Why do they care? They do not make antiviruses, endpoint protection or firewalls – the common tools against this kind of threats. So, what’s the point?

VM vendors BadRabbit

Well, they do it is obviously to promote their products and services. But how exactly?

Continue reading

My comments on Forrester’s “Vulnerability Management vendor landscape 2017”

A top consulting company, Forrester Research, recently published report “Vendor Landscape: Vulnerability Management, 2017“. You can read for free by filling a small form on Tenable web site.

Forrester Vendor Landscape: Vulnerability Management, 2017

What’s interesting in this document? First of all,¬†Josh Zelonis and co-authors presented their version of VM products¬† evolution. It consists of this steps (I have reformulated them a bit for the copyright reasons) :

  1. Initial fear of automated vulnerability assessment tools
  2. Mid-1990s and first productized offerings
  3. Authenticated scanning dramatically improved accuracy of scans
  4. Application scanning (DAST)
  5. Security assessment of software containers and DevOps in general.

As you see, the last one is about containerization. And it is now presented only in Tenable.io/FlawCheck. ūüėČ

Continue reading

Vulners – Google for hacker. How the best vulnerability search engine works and how to use it

Original article was published in Xakep Magazine #06/2016 (in Russian)

vulners.com logo

The common task. –£ou need to find all information about some vulnerability: how critical the bug is, whether there is a public exploit, which vendors already released patches, which vulnerability scanner can detect this bug in the system. Previously, you had to search it all manually in dozens of sources (CVEDetails, SecurityFocus, Rapid7 DB, Exploit-DB, CVEs from MITRE / NIST, vendor newsletters, etc.) and analyze the collected data. Today, this routine can be (and should be!) automated with specialized services. One of these services – Vulners.com, the coolest search engine for bugs. And what is the most important – it’s free and has an open API. Let’s see how it can be useful for us.

What is it?

Vulners is a very large constantly updating database of Information Security content. This site lets you search for vulnerabilities, exploits, patches, bug bounty programs the same way a web search engine lets you search for websites. Vulners aggregates and presents in convenient form seven major types of data:

  • Popular vulnerability databases, containing general descriptions of vulnerabilities and links. For example, well-known NVD CVEs of MITRE US agency and NIST Institute. In addition to this, Vulners supports vulnerability descriptions from various research centers and response teams: Vulnerability Lab, XSSed, CERT, ICS, Zero Day Initiative, Positive Technologies, ERPScan.
  • Vendor’s security bulletins. This bug-reports are published by software vendors and contain information about vulnerabilities in their own products. At current moment Vulners supports various Linux distributions (Red Hat, CentOS, Oracle Linux, Arch Linux, Debian, Ubuntu, SUSE), FreeBSD, network devices (F5 Networks, Cisco, Huawei, Palo Alto Networks), popular and critical software (OpenSSL, Samba, nginx, Mozilla, Opera), including CMS (WordPress, Drupal).
  • Exploits from Exploit-DB, Metasploit and 0day.today. Exploits are parsed and stored in full-text form and you can read the sources in a convenient text editor.
  • Nessus plugins for vulnerability detection. It makes easy to find out whether a particular vulnerability can be detected using this popular network scanner. Why is it important? Read in my article “When a free scanning service detects vulnerabilities better“.
  • Bug disclousers for bug bounty programs. At current moment Vulners supports HackerOne and Open Bug Bounty.
  • Potential vulnerabilities of mobile applications and CMS. It is possible in cooperation with the static application security testing (SAST) vendors Hackapp and InfoWatch APPERCUT.
  • Posts from hacking resources. Vulners collects Threatpost and rdot.org publications, which often cover vulnerability related topics.

All this information is handled, cataloged, structured and is always available for the search.

Continue reading

Altx-Soft ComplianceCheck against cryptolockers and ransomware

ComplianceChecker is a free Compliance Management tool made by Altx-Soft, a security product company from Moscow Region, Russia. Altx-Soft is known abroad mainly as a Top OVAL Contributor, they have been on award-list every quarter since 2012. Their flagman product, RedCheck, is a SCAP-compatible vulnerability and compliance scanner. They also produce family of “Check”-products for controlling and managing Windows operating systems.

Altx-Soft ComplianceChecker scanning results

ComplianceChecker is a promo product for the potential RedCheck buyers. It similar to RedCheck with the most management features cutted off. It can scan only the localhost.

ComplianceChecker is positioned mainly as an utility for SOHO/Home users and it’s not a secret, that on this market Compliance Management solutions are still an exotic. How could they attract the attention of an ordinary people? Altx-Soft took the hottest security topic of 2014-2015 – cryplockers and ransomware, that nowadays are the real threat for literally all kind of platform and especially Windows desktops. Altx-Soft tried to spread the message, that the best way to protect operating system from this kind of malware is to configure it properly. And it’s hard to disagree. So, they made a tool for the security assessment – ComplianceChecker, and made some other tools configure to operating systems (free for RedCheck users). Continue reading