Tag Archives: Vulristics

My thoughts on the “2021 Gartner Market Guide for Vulnerability Assessment”. What about the quality?

The Gartner Vulnerability Management Reports are one of the few marketing reports that I try to read regularly. This started back in the days when I was working for a VM vendor doing competitive analysis. Gartner is one of the few organizations that think about Vulnerability Assessment and Vulnerability Management and clearly articulate where we are and where we are going.

I got a free reprint of “2021 Gartner Market Guide for Vulnerability Assessment” from the Tenable website. Thanks a lot to them for that.

Let’s start with what I liked:

  1. It’s great that Gartner has made vulnerability prioritization technology (VPT) a separate class of solutions, that do not detect vulnerabilities themselves, but work with them. For example, Kenna or my Vulristics. And it could be additional functionality like Tenable VPR.
  2. I liked the focus on EDR as a promising VM replacement. Especially, Microsoft solutions (Defender for Endpoint or as was mentioned in the report Microsoft’s Threat & Vulnerability Management, TVM).
  3. It’s nice that various areas related to Vulnerability Management have been mentioned: Pentest, Bug Bounty, Breach and Attack Simulation (BAS).
  4. An interesting diagram that shows that VA is primarily about “Assess” and “Asset Management”, VPT is primarily about “Prioritize” and “Workflow Management”, BAS is primarily about “Compensate” and “Security Controls”.

Now what I didn’t like. I have one pain point – the quality of the scanning. And here, on the one hand, something was said, but on the other, it was not enough and not as definite as I would like. Market Direction is the most interesting section of the document. And it was the most painful to read.

Continue reading

Vulristics HTML Report Update: Table for Products, Table for Vuln. Types and “Prevalence”

Hi guys! I was on vacation this week. So I had time to work on my Vulristics project. For those who don’t know, this is a framework for prioritizing known CVE vulnerabilities. I was mainly grooming the HTML report.

I added a logo at the top, set a max width for the report, added a timestamp when the report was created so you can now see how fresh it is. I have combined CVSS and Vulristics score statistics in two parallel columns.

But the main new feature is the tables of vulnerable products and types of vulnerabilities. The products are sorted by “prevalence”. You can review this list and ask yourself if this order is correct in your opinion or change the “prevalence” values for some products in the config dictionary. For software products with unknown “prevalence”, you will see the comment “Unclassified Product”.

Continue reading

PHDays 10: U.S. Sanctions, My Talk on Vulristics, Other Great Talks Related to VM

Today I will talk about the Positive Hack Days conference, which took place on May 20 and May 21 in Moscow. I can say that this was and remains the main event for Information Security Practitioners in Russia.

First of all, I have to say a few words about the sanctions. The organizer of the event, Positive Technologies, is under the sanctions of the US Treasury Department since April 2021 among the “COMPANIES IN THE TECHNOLOGY SECTOR SUPPORTING RUSSIAN INTELLIGENCE SERVICES”. In a press release, the Treasury Department wrote that Positive Technologies hosts large-scale conventions that are used as recruiting events for russian special services. Well, I don’t know exactly what they mean. Maybe they mean PHDays or maybe not. But to say this about PHDays is like saying that any major international conference, Black Hat or RSA, is a recruiting event. This is ridiculous. In my humble opinion, these are some dirty political games. It is sad that reputable information security companies and security researchers are suffering from this.

Now let’s talk about my speech at PHDays 10. This year I had the opportunity to talk for an hour about my pet project – Vulristics. This project can help you prioritize known vulnerabilities. Anything that has a CVE id. There is a full video of my speech. I have uploaded this to my YouTube channel.

Russian version.

And a version that was dubbed into English.

So, if you’re interested, I recommend watching the full video. Here I will simply repeat the main points.

Continue reading

AM Live Vulnerability Management Conference Part 2: What was I talking about there

Hello all! It is the second part about AM Live Vulnerability Management conference. In the first part I made the timecodes for the 2 hours video in Russian. Here I have combined all my lines into one text.

What is Vulnerability Management?

Vulnerability Management process is the opposite of the admin’s saying “If it works – don’t touch it!”. The main idea of this process is to somehow fix the vulnerabilities. How do you achieve this is not so important. Maybe you will have a nice Plan-Do-Check-Act process and strict policies. Maybe not. The main thing is that you fix vulnerabilities! And the main problem is to negotiate this regular patching with system administrators and service owners.

Continue reading

Vulristics: Microsoft Patch Tuesdays Q1 2021

Hello everyone! It has been 3 months since my last review of Microsoft vulnerabilities for Q4 2020. In this episode I want to review the Microsoft vulnerabilities for the first quarter of 2021. There will be 4 parts: January, February, March and the vulnerabilities that were released between the Patch Tuesdays.

I will be using the reports that I created with my Vulristics tool. This time I’ll try to make the episodes shorter. I will describe only the most critical vulnerabilities. Links to the full reports are at the bottom of the blog post.

Continue reading

Vulristics: Beyond Microsoft Patch Tuesdays, Analyzing Arbitrary CVEs

Hello everyone! In this episode I would like to share an update for my Vulristics project.

For those who don’t know, in this project I am working on an alternative vulnerability scoring based on publicly available data to highlight vulnerabilities that need to be fixed as soon as possible. Roughly speaking, this is something like Tenable VPR, but more transparent and even open source. Currently it works with much less data sources. It mainly depends on the type of vulnerability, the prevalence of vulnerable software, public exploits and exploitation in the wild.

Elevation of Privilege - Windows Win32k

I started with Microsoft PatchTuesday Vulnerabilities because Microsoft provides much better data than other vendors. They have the type of vulnerability and the name of the vulnerable software in the title.

Elevation of Privilege - Windows Win32k MS site

But it’s time to go further and now you can use Vulristics to analyze any set of CVEs. I changed the scirpts that were closely related to the Microsoft datasource and added new features to get the type of vulnerability and name of the software from the CVE description.

Elevation of Privilege - Sudo (CVE-2021-3156) - High [595]
Continue reading

Vulristics Vulnerability Score, Automated Data Collection and Microsoft Patch Tuesdays Q4 2020

In this episode I would like to make a status update of my Vulristics project. For those who don’t know, in this project I retrieve publicly available vulnerability data and analyze it to better understand the severity of these vulnerabilities and better prioritize them. Currently, it is mainly about Microsoft Patch Tuesday vulnerabilities, but I have plans to go further. Also in this episode I want to demonstrate the new Vulristics features on Microsoft Patch Tuesday reports for October, November and December 2020.

Vulristics Vulnerability Scores, automated data collection and Microsoft Patch Tuesday Q4 2020

Patch Tuesdays Automated Data Collection

First of all, I dealt with the annoying collecting of the data for Microsoft Patch Tuesdays reports. Previously it took pretty long time. I had to go to Microsoft website and search for CVE IDs. After that, I had to get the comments from various Vulnerability Management vendors and researchers blogs (Tenable, Qualys, Rapid7, ZDI). I wanted this to be as much automated as possible. I have added some code to make CVE search requests on the Microsoft website for a date range (including the second Tuesday of the month). I also figured out how to make searches on the Vulnerability Management vendors blogs. So, now to get a Microsoft Patch Tuesday report it’s only necessary to set the year and month.

Continue reading