Tag Archives: Linux

ZeroNights16: Enterprise Vulnerability Management

ZeroNights16: Enterprise Vulnerability Management. 17-18 November I was at the great event — Zero Nights security conference in Moscow. For the first time as a speaker. Being a part of such famous and prestigious security event was very exciting. I was talking mainly about VM solution problems and custom reporting/ticketing, Ekaterina shared some experience in using Tenable SecurityCenter for Vulnerability and Compliance management.

Presentation was recorded and some time later video will be available on YouTube. However, I suppose audio will be only in Russian not earlier than February 2017. So I think it will be a much more useful to share some points of the presentation right now. Lucky here I don’t have any time restrictions. =)

The first thing to say about Vulnerability Scanners and Vulnerability Management product is that there are plenty of them. On this picture I mentioned some of the products/vendors.

Some of them are highly specialized, like ErpScan for SAP, others are universal. Some of them are presented globally: Tenable Nessus / SecurityCenter, Rapid 7 Nexpose, Qualys, F-Secure etc., others are known mainly in Russia: Positivie Technologies Maxpatrol, Altx-Soft RedCheck, Echelon Scaner-VS. Some products are expansive, some of them not and even have versions available for free: OpenVAS, SecPod Saner Personal, Altx-Soft ComplianceCheck, Qualys SSL labs, High-Tech Bridge SSL Server Security Test, etc.

In my opinion the main problems of VM solutions are expansiveness and low reliability of the scan results.

Continue reading →

Fast comparison of Nessus and OpenVAS knowledge bases

17 Replies

Fast comparison of Nessus and OpenVAS knowledge bases. In my opinion, quality of knowledge base is the most important characteristic of Vulnerability Management (VM) product. Maybe it’s because I have spent significant amount of time making different security content for vulnerability scanners and this is some form of professional deformation. 🙂 The fact is that nowadays we have dozens of VM solutions on the market, which have very different knowledge bases and thus different abilities for detecting vulnerabilities. And really nobody talk about this. I can recommend related post “Tenable doesn’t want to be Tenable anymore” and especially HD Moore’s comment to that post. It describes the reason why nobody interested now in quality of detection. Maximum what we, end-users, can hear from the vendor about it’s knowledge base is an amount of vulnerability checks: 40000-80000 and approximate list of supported systems. There is a massive false belief that detection quality of the products is approximately the same and it’s better talk about dashboards, reports, SIEM-like capabilities. To demonstrate that the difference actually exists I made a pretty primitive comparison of Nessus and OpenVAS knowledge bases.

I chose these two products, mainly because information on their NASL plugins is available at Vulners.com. As I also wrote earlier how you can use easily parse Vulners archives in python, so you can repeat it for yourself. I talked about this topic at Pentestit webinar about Vulners. If you are familiar with Russian, you can also check this out. 😉 The slides for this presentation are available here.

Why I call this comparison fast and primitive? I don’t define the structure of KBs for this product and don’t carefully map one nasl script to another. I suppose it may be a theme for another posts. Instead I am looking at the CVE links. If two scanners detect can the same vulnerabilities, they should have the same CVE links in all the NASL scripts, right? In reality we have a great difference between the products and more than a half of the CVEs can’t be detected by using both of them.

CVE links from NASL plugins

All CVEs: 80196
OpenVAS CVE links: 29240
Nessus CVE links: 35032
OpenVAS vs. Nessus: 3787;25453;9579

Continue reading →

New Vulners.com services for Linux Security Audit and Vulnerability Alerting

9 Replies

New Vulners.com services for Linux Security Audit and Vulnerability Alerting. Upd. This post is out of date! Check out “Vulners Linux Audit API for Host Vulnerability Detection: Manual Auditing, Python Scripting and Licensing” from 2021.

A few weeks ago I was describing how to perform Linux Vulnerability Assessment without a Vulnerability Scanner. I also wrote in “Vulnerability scanners: a view from the vendor and end user side” that vulnerability scanning is not rocket science and it is easy to make your own scanner for vulnerabilities for a particular OS. Especially it is a popular Linux Distribution.

But. It’s one thing to write that you can do it, and another thing to develop a script for home use, and quite another thing to make a publicly available and efficient service…

Vulners Team guys have actually created such free Linux Vulnerability Audit service!

Linux Vulnerability Audit Service

First of all, they made a GUI where you can specify OS version (usually it is in the /etc/os-release file), list of packages installed on the host and get the list of vulnerabilities.

For example, here are the vulnerabilities for my Ubuntu Laptop, which I update frequently:

One vulnerability was found:

But GUI is good for demonstration. In real life, you can use Vulners Audit API. It will return list of vulnerabilities in JSON.

Continue reading →

Dealing with Qualys Cloud Agents

8 Replies

Dealing with Qualys Cloud Agents. Today I would like to write about Qualys agent-based VM scanning. Agent-based scanning is a relatively new trend among VM vendors. At the beginning of Vulnerability Assessment, there was a prevailing view that the agentless scanning is more convenient for the users: you do not need to install anything on the host, just get credentials and you are ready to scan.

Qualys Cloud Agents logo

However, time passed and it now appears that installing agents on all hosts, where it is technically possible, may be easier, than managing credentials for authenticated scanning. Don’t forget the fact that almost all agentless scanning solutions require scanning account with root/admin privileges, and it’s not an easy task to minimize permissions of this accounts while keeping all functional capabilities of the scanner.

In recent years almost all major VM vendors who previously were promoting agentless scanning have also proposed agent-based solutions.

The main purposes of these solutions are:

scan devices that periodically connect to the enterprise network and it’s hard to catch them with traditional active scan (for example, laptop);
scan business critical hosts for which it is impossible to get scanning credentials.

VM vendors have taken different approaches for agent-based scanning. For example, Tenable agents are technically very similar to Nessus installations without web interface (read more at “Nessus Manager and Agents“), limited to can scan only the localhost. This seems reasonable, because historically Nessus scanner is available for many platforms, including Windows, Linux, MacOS. Qualys chose other way. They made minimalistic agents for data gathering, processing it on the remote servers. This is also fits well in Qualys cloud concept.

As I wrote earlier in “Qualys Vulnerability Management GUI and API“, Qualys working hard to make their web interface easier for beginners. When you go to CA (Cloud Agents) tab, the first thing you see is a user-friendly interface for quick start.

Cloud Agents Welcome

Continue reading →

Testing Secpod Saner Personal vulnerability scanner

4 Replies

Testing Secpod Saner Personal vulnerability scanner. SecPod Technologies is an information security products company located in Bangalore, India. They are also known as top OVAL Contributor and NVT vendor for OpenVAS. Besides the products designed for a big enterprises (vulnerability scanner Saner Business and threat intelligence platform Ancor), they have either vulnerability and compliance management solution for personal use – Saner Personal. And personal means that this scanner will scan only localhost. It’s free, SCAP-compatible, it has remediation capabilities. And it works. =)

Secpod Saner Personal scanning results

Continue reading →

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: Linux

ZeroNights16: Enterprise Vulnerability Management

Fast comparison of Nessus and OpenVAS knowledge bases

Dealing with Qualys Cloud Agents

Testing Secpod Saner Personal vulnerability scanner