Tag Archives: CVSS

Psychological Aspects of Vulnerability Remediation

Psychological Aspects of Vulnerability Remediation. In my opinion, Remediation is the most difficult part of Vulnerability Management process. If you know the assets in your organization and can assess them, you will sooner or later produce a good enough flow of critical vulnerabilities. But what the point, if the IT team will not fix them?

Kübler-Ross model and Tsunami of Vulnerability Tasks

Kübler-Ross model and Tsunami of Vulnerability Remediation Tasks

Just think about it. The only thing that your colleagues from  IT team see is an unexpected  tsunami of the patching tasks. They most likely don’t understand WHY they should do it. They most likely don’t know about the concepts of Attack Surface minimization and Attack Cost maximization. From their point of view it’s just some stupid requirements from InfoSec team imposed with only one goal – to make their life miserable.

So, they may think that denial and pushing back can solve all their problems. And, frankly, this may work. There are countless ways to sabotage Vulnerability Remediation. Most main and common are the following:

  • I don’t understand how to patch this.
  • I already patched this, there should be a false positive in the scanner.
  • Why should we patch this? The vulnerability is not exploitable. Or it is exploitable in theory, but not exploitable in our particular infrastructure. Or this server is not critical and, even if it will be compromised, there won’t be a huge impact. So, we will not patch it.

In each individual case Vulnerability Analyst can describe and proof his point, but doing this for each vulnerability will require insane amount of time and efforts and will paralyze the work. It is basically the Italian strike or work-to-rule.

Continue reading

PHDays8: Digital Bet and thousands tons of verbal ore

PHDays8: Digital Bet and thousands tons of verbal ore. It’s time to write about Positive Hack Days 8: Digital Bet conference, which was held May 15-16 at the Moscow World Trade Center. It was the main Russian Information Security event of the first half of 2018. More than 4 thousand people attended! More than 50 reports, master classes and round tables held in 7 parallel streams. And, of course, impressive CTF contest for security experts and hackers with an fully-functioning model of the city.

Hack Days 8: Digital Bet

I was very pleased that there was a separate section dedicated to Vulnerability Management. Something similar happened only at ISACA meetup last year. But here we had an event for several thousand people!

The session was held in Fast Track format: 20 minutes for the presentation and questions. I was the first to speak. My report was called “Vulnerability Databases: sifting thousands tons of verbal ore”. Here is the video:

And here’s a link to the version with only Russian sound track.

Continue reading

Outpost24 Appsec Scale for Web Application Scanning

Outpost24 Appsec Scale for Web Application Scanning. Today I would like to write about yet another Outpost24 product – cloud Web Application Scanner Appsec Scale.

Outpost24 Appsec Scale scan results

It is available in the same interface as Outpost24 Outscan, that I reviewed earlier. Select APPSEC SCALE in the start menu and you can scan web applications:

Outpost24 Appsec Scale

Continue reading

Outpost24 OUTSCAN for detecting vulnerabilities on your network perimeter

Outpost24 OUTSCAN for detecting vulnerabilities on your network perimeter. Today I would like to write  a post about Outpost24. This company was founded in 2001. For comparison, Tenable was founded in 2002 and Qualys in 1999. So, it’s a company with a pretty long history. Outpost24 make Vulnerability Management & Web Application Security products and provide various services in these areas. As far as I can tell, they are known mainly in Central and Northern Europe.

I’ve been testing their cloud-based solution for network perimeter scanning  – OUTSCAN. Here I want to show the main features of the GUI and share my impressions. 

Outpost24 Outscan

Continue reading

Vulners Web Vulnerability Scanner plugin for Google Chrome v. 2.0

Vulners Web Vulnerability Scanner plugin for Google Chrome v. 2.0. Vulners Team released today the second version of their Web Vulnerability Scanning plugin for Google Chrome browser. You can read my description of the version 1.0 at “Vulners.com vulnerability detection plugins for Burp Suite and Google Chrome“.

Vulners web vulnerability scanner v.2.0

Killing feature of Vulners web scanner v. 2.0 is that you can now see all vulnerabilities on all scanned sites in a single window. You don’t need to checks all Google Chrome tabs manually.

Moreover, if some sites make request to other servers, for example googleapis.com, these servers will be checked automatically.

The plugin was fully refactored and now it is React driven. It works faster, analysis more data sources and detects vulnerabilities more accurately.

Continue reading

Kenna Security: Analyzing Vulnerability Scan data

Kenna Security: Analyzing Vulnerability Scan data. I’ve been following Kenna Security (before 2015 Risk I/O) for a pretty long time. Mainly, because they do the things I do on a daily basis: analyse various vulnerability scan results and feeds, and prioritize detected vulnerabilities for further mitigation. The only difference is that my scripts and reports are highly specific for my employer’s infrastructure and needs. And guys from Kenna team make a standardized scalable cloud solution that should be suitable for everyone.

I think their niche is really great. They do not compete directly with Vulnerability Management vendors. They can be partners with any of them, bringing additional features to the customers. Perfect win-win combination. That’s why Kenna speakers regularly participate in joint webinars with VM vendors.

I couldn’t lose a great opportunity to see Kenna Security service in action. 😉

In this post I will try to make a very brief review of Kenna functionality and formulate pros and cons of the solution.

When you submit trial request at https://www.eu.kennasecurity.com/signup (or https://app.kennasecurity.com/signup if you are not in Europe) you will get a link to your company account:

https://corporation.eu.kennasecurity.com/

The login screen will look like this:

Kenna login

Continue reading

Downloading and analyzing NVD CVE feed

Downloading and analyzing NVD CVE feed. In previous post “New National Vulnerability Database visualizations and feeds” I mentioned JSON NVD feed.

NVD JSON feed parse python

Let’s see what data it contains, how to download and analyse it. First of all, we need to download all files with CVEs from NVD database and save them to some directory.

nvd feed json download

Unfortunately, there is no way to download all the content at once. Only one year archives. We need to get urls first. Url looks like this: https://static.nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-2017.json.zip. Then we will download them all.

Continue reading