Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко (QIWI)
Download as PPTX, PDF0 likes1,903 views
Vulners is a vulnerability intelligence platform founded by Igor Bulatenko and the Qiwi security team that aggregates security data and provides a fast, Google-style search engine for vulnerabilities. The platform aims to simplify vulnerability management and assessment by offering a unified model for data normalization, audit features, and customizable content subscriptions. Vulners also provides an API for easy integration with existing security systems and tools, enhancing the efficiency of vulnerability scanning and threat intelligence.
![Advanced queries
- Any complex query
- title:httpd type:centos order:published last 15 days cvss.score:[7 TO 10]
- Sortable by any field of the model (type, CVSS, dates, reporter, etc)
- Apache Lucene syntax (AND, OR and so on)
- Exploit search by sources and CVE’s
- cvelist:CVE-2014-0160 type:exploitdb
- sourceData:.bash_profile
- sourceData:"magic bytes”](https://image.slidesharecdn.com/2-161114182615/85/Vulnerability-intelligence-with-vulners-com-QIWI-26-320.jpg)
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко (QIWI)
- 1. Vulnerability intelligence with vulners Igor Bulatenko
- 2. #:whoami - vulners.com co-founder - QIWI Group Security expert - Web penetration tester - Ex-security developer - JBFC community participant
- 3. #:groups - QIWI Security Team - Kirill “isox” Ermakov (core) - Igor “videns” Bulatenko (search) - Ivan “vankyver” Yolkin (frontend) - Alex “plex” Sekretov (parsers) - Alex Leonov (Analytics)
- 4. Vulnerabilities are the gateways by which threats are manifested SANS institute
- 5. Vulnerable - Vulnerability - weakness which allows an attacker to reduce a system's information assurance (Wiki) - Some kind of information that represents security issues - Format-free description of function f(object, conditions) returning True/False
- 6. Captain Obvious: Risks - Information systems takeover - Revocation of the licenses - Business continuity - Money loss - …and a lot of other bad things
- 7. Vulnerability management process - Mandatory component of information security - Need2be for a security-aware companies - Necessary to perform in accordance with the PCIDSS and others - Best practice for survival in the Internet
- 9. Content sources fail - Every product has it’s own source of vulnerability data - Most information is not acceptable for automatic vulnerability scanners - MITRE, NVD, SCAP, OVAL and others failed to standardize it - Everyone is working on their own - “Search”? Forget about it. Use Google instead.
- 10. Vendors are so cool - Human only readable format - Advisories instead of criteria - Differs from page to page - CSS wasn’t discovered yet - HTML actually too
- 11. Classics of vulnerability awareness - Security mailing lists - “Let’s talk about…” - Full of references and links - Guess the syntax
- 12. Vulnerability assessment - Vulnerability Scanners - Developed in 90th - Heavy deployment process - About 20-30 different vendors
- 13. Under the hood of the typical scanner - Scripting engine - PHP/Python/PAZL/NASL - Vulnerability checks - Hidden logic of detection
- 14. The Good, the Bad and the Ugly - Slow in big enterprises - Binary scripts - Missing central management - Agentless technology requiring rootprivileges - Inventory != vulnerability scan - Good model was designed years ago
- 15. Feature racing - Black magic challenge of collecting data - More checks = better scanner - Harmless pentest. ORLY? - Do you trust your security vendor?
- 17. OPS style security - Inventory is already done. No need to do it again. - You already have a dashboard - Targeted utilities acts better - Version range checks
- 18. Let’s start from the scratch - Established at 2015 by QIWI Security Team - Parsing and data collection framework - Built by security engineers for OPS - The only check to do: version range - Clear scanning process
- 19. vulners.com: Information security “Google” - Vulnerability source data aggregator - Created by security specialists for security specialists - Incredibly fast search engine - Normalized, machine-readable content - Audit features out-of-the-box - API-driven development
- 20. Content - Vendor security advisories - Exploit databases - Security scanners plugins and modules - Bug bounty programs - Informational resources - 0 days from security scanners - … 60+ different sources and growing
- 21. Normalization. We did it! - All data has unified model - Perfect for integration - Security scanners ready - Automatic updateable content - Analytics welcome
- 22. Coverage? One of the largest security DB’s
- 23. Search - Google-style search string - Dorks, advanced queries and many more - UX-driven - Human-oriented - References and data linkage - Extremely fast
- 24. Power of the aggregation - Unified model in database - Ability to perform correlation - Security scanners comparison - Reveal trends
- 25. API - REST/JSON - Integration focused scan features - Audit calls for self-made security scanners - Easy expandable - Content sharing features
- 26. Advanced queries - Any complex query - title:httpd type:centos order:published last 15 days cvss.score:[7 TO 10] - Sortable by any field of the model (type, CVSS, dates, reporter, etc) - Apache Lucene syntax (AND, OR and so on) - Exploit search by sources and CVE’s - cvelist:CVE-2014-0160 type:exploitdb - sourceData:.bash_profile - sourceData:"magic bytes”
- 27. Awareness as it should be - Inspired by Google Search subscriptions - Get the only content that you need - Query based subscription - Any delivery method: - RSS - Email - Telegram - API
- 28. RSS - Fully customizable news feed in RSS format - Powered by Apache Lucene query - https://vulners.com/rss.xml?query=type:debian - Updates-on-demand. No cache, it builds right when you ask it to. - Atom, Webfeeds, mrss compatible
- 29. Email subscriptions - Awareness service - Absolutely customizable
- 30. Telegram news bot - Up to 3 subscriptions for user - In-app search - Broadcast for emergency news
- 31. But…what about the scanner? - Security scanner as a service - Ready for Zabbix, Nagios, etc integration - As simple as ”rpm –qa” - Clear decision making logic
- 32. Package version scanning - Perform only host inventory - Can be done manually - Don’t need root privileges - Vendors data provided in a compatible format
- 33. Security audit - Linux OS vulnerability scan - Immediate results - Dramatically simple
- 34. Security audit API - Easy to use: Just give us output of package manager - https://vulners.com/api/v3/audit/rpm/?os=centos&version=5&package=php-4.6.17- 1.el5.remi-x86_64 - JSON result - Vulnerabilities list - Reason of the decision - References list (exploits, and so on) - Ready to go for Red Hat and Debian family - Typical call time for 500+ packages list = 160ms - It’s fast. Really fast.
- 36. Home made scanner - Available at GitHub - Example of integration - Free to fork
- 37. It is absolutely free - Free for commercial and enterprise use - Make your own solutions using our powers: - Security scanners - Threat intelligence - Subscriptions - Security automation - Just please, post references if you can
- 38. Thanks - videns@vulners.com - https://github.com/videns/vulners-scanner/ - We are really trying to make this world better - Stop paying for features which are available for free