Tag Archives: CWE

Martian Vulnerability Chronicles

Well, there should have been an optimistic post about my vulnerability analysis & classification pet-project. Something like “blah-blah-blah the situation is pretty bad, tons of vulnerabilities and it’s not clear which of them can be used by attackers. BUT there is a way how to make it better using trivial automation“. And so on. It seems that it won’t be any time soon. ¯\_(ツ)_/¯

I’ve spent several weekends on making some code that takes vulnerability description and other related formalized data to “separate the wheat from the chaff”. And what I get doesn’t look like some universal solution at all.

Pretty frustrating, but still an interesting experience and great protection from being charmed by trendy and shiny “predictive prioritization”.

Martian Vulnerability Chronicles

Literally, when you start analyzing this vulnerability-related stuff every your assumption becomes wrong:

  • that vulnerability description is good enough to get an idea how the vulnerability can be exploited (let’s discuss it in this post);
  • that CVSS characterizes the vulnerability somehow;
  • that the links to related objects (read: exploits) can be actually used for prioritization.

Actually, there is no reliable data that can be analyzed, trash is everywhere and everybody lies 😉

Let’s start from the vulnerability description. Great example is the last week critical Linux kernel vulnerability CVE-2019-8912.

Continue reading

PHDays8: Digital Bet and thousands tons of verbal ore

It’s time to write about Positive Hack Days 8: Digital Bet conference, which was held May 15-16 at the Moscow World Trade Center. It was the main Russian Information Security event of the first half of 2018. More than 4 thousand people attended! More than 50 reports, master classes and round tables held in 7 parallel streams. And, of course, impressive CTF contest for security experts and hackers with an fully-functioning model of the city.

Hack Days 8: Digital Bet

I was very pleased that there was a separate section dedicated to Vulnerability Management. Something similar happened only at ISACA meetup last year. But here we had an event for several thousand people!

The session was held in Fast Track format: 20 minutes for the presentation and questions. I was the first to speak. My report was called “Vulnerability Databases: sifting thousands tons of verbal ore”. Here is the video:

And here’s a link to the version with only Russian sound track.

Continue reading

Outpost24 Appsec Scale for Web Application Scanning

Today I would like to write about yet another Outpost24 product – cloud Web Application Scanner Appsec Scale.

Outpost24 Appsec Scale scan results

It is available in the same interface as Outpost24 Outscan, that I reviewed earlier. Select APPSEC SCALE in the start menu and you can scan web applications:

Outpost24 Appsec Scale

Continue reading

CISO Forum and the problems of Vulnerability Databases

Last Tuesday, April 24,  I was at “CISO FORUM 2020: glance to the future“. I presented there my report “Vulnerability Databases: sifting thousands tons of verbal ore”. In this post, I’ll briefly talk about this report and about the event itself.

CISO Forum 2020

My speech was the last in the program. At the same time, in a parallel stream, there was another interesting presentation by the most famous Russian information security blogger. Thus, there was a real danger of speaking in an empty room. 🙂 But everything went well. There were about 30 spectators and we had an active QA session afterwards.

As I wrote earlier, I started preparing my CyberCentral presentation several months before the event. I did not want to tell the same story again at CISO Forum and PHDays. So I prepared 2 different presentations. At CyberCentral, I was talking about Vulnerability Scanners. And at CISO Forum I was talking mainly about Vulnerable Databases. Of course, I reused some materials, but the accents were different.

Continue reading

CWEs in NVD CVE feed: analysis and complaints

As you probably know, one of the ways to describe the nature of some software vulnerability is to provide corresponding CWE (Common Weakness Enumeration) ids. Let’s see the CWE links in NVD CVE base.

NVD CWEs

I have already wrote earlier how to deal with NVD feed using python in “Downloading and analyzing NVD CVE feed“. You can easily get CWEs ids iterating over cve_dict['CVE_Items'].

Continue reading

New National Vulnerability Database visualizations and feeds

Recently, the National Institute of Standards and Technology (NIST) introduced a new version of National Vulnerability Database (NVD) website.

NIST NVD new site

I will not say that I liked this redesign:

new NVD website

IMHO, old website with US flag was much prettier and useful:

old NVD website

But the very fact that the site is developing, I really like very much. Let’s see what’s new there.

Continue reading