Tag Archives: Positive Technologies

Programmers are also people who also make mistakes

It’s the first part of our talk with Daniil Svetlov at his radio show “Safe Environment” (or “Safe Wednesday” – kind of wordplay in Russian) recorded 29.03.2017. We were discussing why Software Vulnerabilities are everyone’s problem. Full video in Russian without subtitles is available here.

If we look at who commits, who adds vulnerabilities to the CVE database, they are very different people.

I added manually transcribed Russian/English subtitles to the video:

  • Why vulnerabilities are dangerous for business and for ordinary people?
  • How vulnerabilities appear in programs?
  • How to write code safely?
  • What motivates vulnerability researchers?
  • Vulnerabilities as a first step in writing malicious software

We wanted to talk today about software vulnerabilities. Tell me, what is it all about, why are they dangerous for business, for ordinary people and what are the difficulties with their remediation.

Speaking about vulnerabilities, it’s probably worth to tell how they generally appear in programs.

Let’s say we have a company. This company is developing some software. Some programmers work in it. Programmers are also people who also make mistakes. And if some mistakes that are directly related to the functionality of this application, can be detected quite simply in the testing process…

Are you talking about functional testing?

Yes, it is about functional testing.

QA specialists can quickly find these vulnerabilities, or these problems, these bugs. Some problems can not be detected in such a simple way. For example, some problems related to security.

Why? Because the main task of the programmers: the program should work.

Continue reading

MaxPatrol 8 installation process

Today I have a great opportunity to write about MaxPatrol 8. For me it is a very nostalgic experience. I worked for many year in Positive Technologies developing this product. And now I can write about it from the customer side.

MaxPatrol is still not very well known outside Russia and CIS, although this product available in English, and has even a Korean localization. So, why not to introduce this product to the readers of my blog? The other reason to write this post is a pretty common opinion, that MaxPatrol is very hard to install and use, and it is the main disadvantage of the product. In fact it is not true.

MaxPatrol 8 loading screen

MaxPatrol is not perfect like any other product. But it’s no more complex than any other enterprise level Vulnerability Management product. It’s my considered opinion after working with a number of other vulnerability and compliance assessment products. GUI may look unfamiliar from the first look, but you can quickly get used to it.

As for the functional capabilities, in some cases it is even difficult to compete with MaxPatrol. Here are the most interesting features:

  1. Advanced White Box assessment:
    • Extended OS inventory
    • Software license control
    • User control
    • Password recovery (hash brute-force)
    • Security checks for running services
  2. Advanced Compliance scanning capabilities
  3. Special assessment modules:
    • SAP ERP
    • SCADA
    • Core telecom networks
  4. Forensic mode – security incidents detection based on event logs analysis

The first blog post will be about MaxPatrol installation.

Continue reading

Gartner’s view on Vulnerability Management market

Not so long time ago Gartner’s report “Vulnerability Management an essential piece of the security puzzle” has become publicly available. Now you can read it for free by filling out a questionnaire on F-Secure website.

Gartner VM Market Guide

At the bottom of the document there is a reference to Gartner G00294756 from 05 December 2016. This document is quite fresh, especially for not very dynamic VM market ;-), and pretty expensive. Thanks for F-secure, we can read it now for free. If you are wondering why this anti-virus company is sponsoring Gartner VM reports: year ago they have bought Finnish VM vendor nScence, and I even did a small review of this product (F-Secure Radar Vulnerability Management solution, F-Secure Radar basic reporting, F-Secure Radar ticketing, F-Secure API for scanning).

Talking about the document, I would like, firstly, to thank Gartner. Do you know who writes most articles about VM? Of course, VM vendors. And we all understand that their main goal is to promote their own products. Reports of independent consulting firms, primarily IDC, Forrester and Gartner, allow us to get some balanced view from the side. It is very important.

Here I would like to comment some theses of the text.

Continue reading

ZeroNights16: Enterprise Vulnerability Management

17-18 November I was at the great event  Zero Nights security conference in Moscow. For the first time as a speaker. Being a part of such famous and prestigious security event was very exciting. There were three of us, Ekaterina Pukhareva, Alex Smirnoff and me, and only 20 minutes available for all. I was talking mainly about VM solution problems and custom reporting/ticketing, Ekaterina shared some experience in using Tenable SecurityCenter for Vulnerability and Compliance management, and Alex was talking mainly about Asset and Risk Management.

Alex ArkanoiD Smirnov, Alexander Leonov, Ekaterina Pukhareva at ZeroNights 2016

Presentation was recorded and some time later video will be available on YouTube. However, I suppose audio will be only in Russian not earlier than February 2017. So I think it will be a much more useful to share some points of the presentation right now. Lucky here I don’t have any time restrictions. =)

The first thing to say about Vulnerability Scanners and Vulnerability Management product is that there are plenty of them. On this picture I mentioned some of the products/vendors.

Vulnerability Scanners and Vendors

Some of them are highly specialized, like ErpScan for SAP, others are universal. Some of them are presented globally: Tenable Nessus / SecurityCenter, Rapid 7 Nexpose, Qualys, F-Secure etc., others are known mainly in Russia: Positivie Technologies Maxpatrol, Altx-Soft RedCheck, Echelon Scaner-VS. Some products are expansive, some of them not and even have versions available for free: OpenVAS, SecPod Saner Personal, Altx-Soft ComplianceCheck, Qualys SSL labsHigh-Tech Bridge SSL Server Security Test, etc.

In my opinion the main problems of VM solutions are expansiveness and low reliability of the scan results.

Continue reading

QSC16: from Vulnerability Management to IT Visibility

I want to share my impressions of QSC16 conference, where recently I had pleasure to attend. This yearly conference is held in Munich for ten years already. I was there before only one time, in 2012. It made a great impression and this year was no worse.

My photo QSC16

First of all, I should write some words about the conference itself. QSC is an acronym for Qualys Security Conference. It is clear from the name that it is fully dedicated to Qualys products.

Who might be interested in such event?

Mainly, of course, current and potential users of Qualys products, partners, competitors (from own experience, they are not welcomed there ;-)) and, I think it is the smallest group, analysts of Vulnerability Management market and Vulnerability Assessment geeks, like me. For people, who are sincerely interested in VM market changes, road show of the global VM vendor with the biggest market share (is it right, Gartner?) is a precious information source. Here you can learn about real experiences in the use of Qualys products and hear about the company’s future plans.

BTW, if you are one of those, and we do not know each other, we should definitely have a talk. 😉

QSC Agenda

Why is this event important? Despite existing skepticism about mono-vendor conferences and roadshows, QSC is one of the few events in Europe dedicated to the VM, in the broad sense of the term, almost exclusively. All discussions are, of course, in the context of Qualys solutions and you won’t hear any real critics of the vendor, however questions raised there are relevant for the entire VM market.

Continue reading