Tag Archives: Tenable

AM Live Vulnerability Management Conference 2022: my impressions and position

Leave a reply

AM Live Vulnerability Management Conference 2022: my impressions and position. Hello everyone! This episode will be about the AM Live Vulnerability Management online conference. I participated in it on May 17th.

Alternative video link (for Russia): https://vk.com/video-149273431_456239090

The event lasted 2 hours. Repeating everything that has been said is difficult and makes little sense. Those who want can watch the full video or read the article about the event (both in Russian). Here I would like to share my impressions, compare this event with last year’s and express my position.

Continue reading

Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics

Leave a reply

Microsoft Patch Tuesday April 2022 and custom CVE comments sources in Vulristics. Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my Vulristics project. I decided to add more comment sources. Because it’s not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers.

Alternative video link (for Russia): https://vk.com/video-149273431_456239085

You can see them in my automated security news telegram channel avleonovnews after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics.

Continue reading

CISO Forum 2022: the first major Russian security conference in the New Reality

1 Reply

CISO Forum 2022: the first major Russian security conference in the New Reality. Hello everyone! After a two-year break, I took part in Moscow CISO Forum 2022 with a small talk “Malicious open source: the cost of using someone else’s code”.

Alternative video link (for Russia): https://vk.com/video-149273431_456239084

CISO Forum is the first major Russian conference since the beginning of The New Reality of Information Security (TNRoIS). My presentation was just on this topic. How malicious commits in open source projects change development and operations processes. I will make a separate video about this (upd. added Malicious Open Source: the cost of using someone else’s code). In this episode, I would like to tell you a little about the conference itself.

Continue reading

Microsoft Patch Tuesday February 2022

Leave a reply

Microsoft Patch Tuesday February 2022. Hello everyone! This episode will be about Microsoft Patch Tuesday for February 2022. I release it pretty late, because of the my previous big episode about the blindspots in the Knowledge Bases of Vulnerability Scanners. Please take a look if you haven’t seen it. Well, if you are even slightly interested in the world news, you can imagine that the end of February 2022 in Eastern Europe is not the best time to create new content on Vulnerability Management. Let’s hope that peace and tranquility will be restored soon. And also that geopolitical confrontation between the largest nuclear powers will de-escalate somehow.

But let’s get back to information security. While working on Microsoft Patch Tuesday report for February 2022, I made a lot of improvements to my open source project for vulnerability prioritization Vulristics. I want to start with them.

Continue reading

VMconf 22: Blindspots in the Knowledge Bases of Vulnerability Scanners

3 Replies

VMconf 22: Blindspots in the Knowledge Bases of Vulnerability Scanners. Hello everyone! This video was recorded for the VMconf22 Vulnerability Management conference. I want to talk about the blind spots in the knowledge bases of Vulnerability Scanners and Vulnerability Management products.

This report was presented in Russian at Tenable Security Day 2022. The video is here.

Potential customers rarely worry about the completeness of the Knowledge Base when choosing a Vulnerability Scanner. They usually trust the VM vendors’ claims of the “largest vulnerability base” and the total number of detection plugins. But in fact the completeness is very important. All high-level vulnerability prioritization features are meaningless unless the vulnerability has been reliably detected. In this presentation, I will show the examples of blindspots in the knowledge bases of vulnerability management products, try to describe the causes and what we (as customers and the community) can do about it.

Continue reading

Vulnerability Intelligence based on media hype. It works? Grafana LFI and Log4j “Log4Shell” RCE

1 Reply

Vulnerability Intelligence based on media hype. It works? Grafana LFI and Log4j “Log4Shell” RCE. Hello everyone! In this episode, I want to talk about vulnerabilities, news and hype. The easiest way to get timely information on the most important vulnerabilities is to just read the news regularly, right? Well, I will try to reflect on this using two examples from last week.

I have a security news telegram channel https://t.me/avleonovnews that is automatically updated by a script using many RSS feeds. And the script even highlights the news associated with vulnerabilities, exploits and attacks.

And last Tuesday, 07.02, a very interesting vulnerability in Grafana was released.

Continue reading

How to fix “Nessus failed to load the SSH private key” error?

2 Replies

How to fix “Nessus failed to load the SSH private key” error? If you are using Nessus to scan Linux hosts and authenticate by key, you may encounter this problem.

You have generated the keys correctly, placed the public key on a remote server. You can connect to this server using the private key.

ssh -p22 -i private_key user@server.corporation.com

But when scanning with Nessus, you get weird errors in the various plugin outputs:

  • Target Credential Status by Authentication Protocol – Failure for Provided Credentials
  • Nessus failed to load the SSH private key. Is the associated passphrase correct?
  • Failed to parse the given key information.
  • Unable to login to remote host with supplied credential sets.

Continue reading