Tag Archives: NIST

Vulnerability Databases: Classification and Registry

What publicly available Vulnerability Databases do we have? Well, I can only say that there are a lot of them and they are pretty different. Here I make an attempt to classify them.

It’s quite an ungrateful task. No matter how hard you try, the final result will be rather inaccurate and incomplete. I am sure someone will be complaining. But this is how I see it. šŸ˜‰Ā If you want to add or change something feel free to make a comment bellow or email me@avleonov.com.

The main classifier, which I came up with:

  • There are individual vulnerability databases in which one identifier means one vulnerability. They try to cover all existing vulnerabilities.
  • And others are security bulletins. They cover vulnerabilities in a particular product or products. And they usually based on on patches. One patch may cover multiple vulnerabilities.

I made this diagram with some Vulnerability Databases. Note that I wanted to stay focused, so there are no exploit DBs, CERTs, lists of vulnerabilities detected by some researchers (CISCO Talos, PT Research, etc.), Media and Bug Bounty sites.

Vulnerability Databases classification

For these databases the descriptions of vulnerabilities are publicly available on the site (in html interface or downloadable data feed), or exist in a form of paid Vulnerability Intelligence service (for example, Flexera).

On one side there are databases of individual vulnerabilities, the most important is National Vulnerability Database. There are also Chinese, Japanese bases that can be derived from NVD or not.

On the other side we have security bulletins, for example RedHat Security Advisories.

And in the middle we have a Vulnerability Databases, for which it is not critical whether they have duplicated vulnerability IDs or not.

Continue reading

New National Vulnerability Database visualizations and feeds

Recently, the National Institute of Standards and Technology (NIST) introduced a new version of National Vulnerability Database (NVD) website.

NIST NVD new siteļæ¼

I will not say that I liked this redesign:

new NVD website

IMHO, old website with US flag was much prettier and useful:

old NVD website

But the very fact that the site is developing, I really like very much. Let’s see what’s new there.

Continue reading

.audit-based Compliance Management in Nessus

In this post I will briefly describe how Nessus .audit-based Compliance Management works, why I like it, what could be improved and why I suppose Tenable won’t do it soon. šŸ˜‰

Nessus compliance checks are mainly presented in a form of special .audit scripts. This scripting language is very different from familiar NASL (Nessus Attack Scripting Language).

Basically, it is a collection of universal checks for various objects (e.g. existence of the line or parameter in the file, access permissions of the file,Ā  service status, etc.). Of course, nowadays Š”ompliance Management is not only aboutĀ Operating System and software (mis)configuration. We have different network devices, databases, cloud services, etc. but originally it was the main case.

By combining the universal checksĀ  any requirement of low-level configuration standard (CIS, DISA, etc.) can be implemented. The similar principles are used in OVAL/SCAP content.

Continue reading

Testing Secpod Saner Personal vulnerability scanner

SecPod Technologies is an information security products company located in Bangalore, India. They are also known as top OVAL Contributor and NVT vendor for OpenVAS. Besides the products designed for a big enterprises (vulnerability scanner Saner Business and threat intelligence platform Ancor), they have either vulnerability and compliance management solution for personal use – Saner Personal. And personal means that this scanner will scan only localhost. It’s free, SCAP-compatible, it has remediation capabilities. And it works. =)

Secpod Saner Personal scanning results

Continue reading

Hello!

My photo

Thanks for visiting my website! Glad to see you here.

My name is Alexander and I’m an Information Security Automation specialist. For 6 years I have actively participated in development of MaxPatrol and XSpider – the best known Vulnerability and Compliance Management products in Russia and CIS. I also worked in the biggest Russian Internet/Mobile Companies and Financial Institutions providing precise automated vulnerability assessment and vulnerability intelligence of a huge and diverse IT-infrastructure.

Enthusiast for NIST/MITRE/CIS and OWASP open security standards and initiatives.

Also the head of OpenVAS Russia project.

OpenVAS Russia banner

Feel free to follow me or add me to your friend list at facebook, twitter, linkedin, telegram. Sometimes I publish videos on my youtube channel.

My email: me@avleonov.com