Tag Archives: CVSS

Psychological Aspects of Vulnerability Remediation

In my opinion, Remediation is the most difficult part of Vulnerability Management process. If you know the assets in your organization and can assess them, you will sooner or later produce a good enough flow of critical vulnerabilities. But what the point, if the IT team will not fix them?

Kübler-Ross model and Tsunami of Vulnerability Tasks

Kübler-Ross model and Tsunami of Vulnerability Remediation Tasks

Just think about it. The only thing that your colleagues from  IT team see is an unexpected  tsunami of the patching tasks. They most likely don’t understand WHY they should do it. They most likely don’t know about the concepts of Attack Surface minimization and Attack Cost maximization. From their point of view it’s just some stupid requirements from InfoSec team imposed with only one goal – to make their life miserable.

So, they may think that denial and pushing back can solve all their problems. And, frankly, this may work. There are countless ways to sabotage Vulnerability Remediation. Most main and common are the following:

  • I don’t understand how to patch this.
  • I already patched this, there should be a false positive in the scanner.
  • Why should we patch this? The vulnerability is not exploitable. Or it is exploitable in theory, but not exploitable in our particular infrastructure. Or this server is not critical and, even if it will be compromised, there won’t be a huge impact. So, we will not patch it.

In each individual case Vulnerability Analyst can describe and proof his point, but doing this for each vulnerability will require insane amount of time and efforts and will paralyze the work. It is basically the Italian strike or work-to-rule.

Continue reading

PHDays8: Digital Bet and thousands tons of verbal ore

It’s time to write about Positive Hack Days 8: Digital Bet conference, which was held May 15-16 at the Moscow World Trade Center. It was the main Russian Information Security event of the first half of 2018. More than 4 thousand people attended! More than 50 reports, master classes and round tables held in 7 parallel streams. And, of course, impressive CTF contest for security experts and hackers with an fully-functioning model of the city.

Hack Days 8: Digital Bet

I was very pleased that there was a separate section dedicated to Vulnerability Management. Something similar happened only at ISACA meetup last year. But here we had an event for several thousand people!

The session was held in Fast Track format: 20 minutes for the presentation and questions. I was the first to speak. My report was called “Vulnerability Databases: sifting thousands tons of verbal ore”. Here is the video:

And here’s a link to the version with only Russian sound track.

Continue reading

Outpost24 Appsec Scale for Web Application Scanning

Today I would like to write about yet another Outpost24 product – cloud Web Application Scanner Appsec Scale.

Outpost24 Appsec Scale scan results

It is available in the same interface as Outpost24 Outscan, that I reviewed earlier. Select APPSEC SCALE in the start menu and you can scan web applications:

Outpost24 Appsec Scale

Continue reading

Outpost24 OUTSCAN for detecting vulnerabilities on your network perimeter

Today I would like to write  a post about Outpost24. This company was founded in 2001. For comparison, Tenable was founded in 2002 and Qualys in 1999. So, it’s a company with a pretty long history. Outpost24 make Vulnerability Management & Web Application Security products and provide various services in these areas. As far as I can tell, they are known mainly in Central and Northern Europe.

I’ve been testing their cloud-based solution for network perimeter scanning  – OUTSCAN. Here I want to show the main features of the GUI and share my impressions. 

Outpost24 Outscan

Continue reading

Vulners Web Vulnerability Scanner plugin for Google Chrome v. 2.0

Vulners Team released today the second version of their Web Vulnerability Scanning plugin for Google Chrome browser. You can read my description of the version 1.0 at “Vulners.com vulnerability detection plugins for Burp Suite and Google Chrome“.

Vulners web vulnerability scanner v.2.0

Killing feature of Vulners web scanner v. 2.0 is that you can now see all vulnerabilities on all scanned sites in a single window. You don’t need to checks all Google Chrome tabs manually.

Moreover, if some sites make request to other servers, for example googleapis.com, these servers will be checked automatically.

The plugin was fully refactored and now it is React driven. It works faster, analysis more data sources and detects vulnerabilities more accurately.

Continue reading