С чем у вас ассоциируется получение информации об уязвимостях?
Почтовые списки, рассылки вендоров, репорты сканеров информационной безопасности и огромное многообразие источников данных, включая даже индивидуально настроенные обновления на поисковые запросы в Google. Вы используете разные платформы, множество аппаратных решений и целый букет библиотек в зависимостях вашего кода. Как отличить тот момент, когда пора все бросать и бежать ставить патчи, от minor-проблемы, не требующей мгновенных действий?
Разрозненность данных, отсутствие унификации и миллион источников отлично характеризуют ситуацию. Казалось бы, CVE и CPE решили эту проблему. Да, каждая уязвимость имеет свой уникальный идентификатор, CVSS-вектор и привязку к уязвимому продукту. Можно отслеживать появление новых и вчитываться в суть проблемы. Но вы точно хотите выделить под это отдельного человека?
В своем докладе мы раскроем, почему SCAP не решил проблему, как собрать все воедино в одном формате и создать одну из крупнейших бесплатных баз данных уязвимостей. Python, Elasticsearch, MongoDB и все-все-все. Также мы коснемся интимной темы vulnerability intelligence, расскажем, как просканировать Linux на наличие уязвимостей "бесплатно без SMS" за 160 миллисекунд и сделать систему оповещения о новых уязвимостях такой, какая нужна именно вам.
5. Vulnerable
- Vulnerability - weakness which allows an attacker to reduce a
system's information assurance (Wiki)
- Some kind of information that represents security issues
- Format-free description of function f(object, conditions) returning
True/False
6. Captain Obvious: Risks
- Information systems takeover
- Revocation of the licenses
- Business continuity
- Money loss
- …and a lot of other bad things
7. Vulnerability management process
- Mandatory component of information security
- Need2be for a security-aware companies
- Necessary to perform in accordance with the PCIDSS and others
- Best practice for survival in the Internet
9. Content sources fail
- Every product has it’s own source of vulnerability data
- Most information is not acceptable for automatic vulnerability scanners
- MITRE, NVD, SCAP, OVAL and others failed to standardize it
- Everyone is working on their own
- “Search”? Forget about it. Use Google instead.
10. Vendors are so cool
- Human only readable format
- Advisories instead of criteria
- Differs from page to page
- CSS wasn’t discovered yet
- HTML actually too
11. Classics of vulnerability awareness
- Security mailing lists
- “Let’s talk about…”
- Full of references and links
- Guess the syntax
13. Under the hood of the typical scanner
- Scripting engine
- PHP/Python/PAZL/NASL
- Vulnerability checks
- Hidden logic of detection
14. The Good, the Bad and the Ugly
- Slow in big enterprises
- Binary scripts
- Missing central management
- Agentless technology requiring rootprivileges
- Inventory != vulnerability scan
- Good model was designed years ago
15. Feature racing
- Black magic challenge of collecting data
- More checks = better scanner
- Harmless pentest. ORLY?
- Do you trust your security vendor?
17. OPS style security
- Inventory is already done. No need to do it again.
- You already have a dashboard
- Targeted utilities acts better
- Version range checks
18. Let’s start from the scratch
- Established at 2015 by QIWI Security Team
- Parsing and data collection framework
- Built by security engineers for OPS
- The only check to do: version range
- Clear scanning process
19. vulners.com: Information security “Google”
- Vulnerability source data aggregator
- Created by security specialists for security specialists
- Incredibly fast search engine
- Normalized, machine-readable content
- Audit features out-of-the-box
- API-driven development
20. Content
- Vendor security advisories
- Exploit databases
- Security scanners plugins and modules
- Bug bounty programs
- Informational resources
- 0 days from security scanners
- … 60+ different sources and growing
21. Normalization. We did it!
- All data has unified model
- Perfect for integration
- Security scanners ready
- Automatic updateable content
- Analytics welcome
23. Search
- Google-style search string
- Dorks, advanced queries and many more
- UX-driven
- Human-oriented
- References and data linkage
- Extremely fast
24. Power of the aggregation
- Unified model in database
- Ability to perform correlation
- Security scanners comparison
- Reveal trends
25. API
- REST/JSON
- Integration focused scan features
- Audit calls for self-made
security scanners
- Easy expandable
- Content sharing features
26. Advanced queries
- Any complex query
- title:httpd type:centos order:published last 15 days cvss.score:[7 TO 10]
- Sortable by any field of the model (type, CVSS, dates, reporter, etc)
- Apache Lucene syntax (AND, OR and so on)
- Exploit search by sources and CVE’s
- cvelist:CVE-2014-0160 type:exploitdb
- sourceData:.bash_profile
- sourceData:"magic bytes”
27. Awareness as it should be
- Inspired by Google Search subscriptions
- Get the only content that you need
- Query based subscription
- Any delivery method:
- RSS
- Email
- Telegram
- API
28. RSS
- Fully customizable news feed in RSS format
- Powered by Apache Lucene query
- https://vulners.com/rss.xml?query=type:debian
- Updates-on-demand. No cache, it builds right when you ask it to.
- Atom, Webfeeds, mrss compatible
30. Telegram news bot
- Up to 3 subscriptions for user
- In-app search
- Broadcast for emergency news
31. But…what about the scanner?
- Security scanner as a service
- Ready for Zabbix, Nagios, etc integration
- As simple as ”rpm –qa”
- Clear decision making logic
32. Package version scanning
- Perform only host inventory
- Can be done manually
- Don’t need root privileges
- Vendors data provided in a compatible format
34. Security audit API
- Easy to use: Just give us output of package manager
- https://vulners.com/api/v3/audit/rpm/?os=centos&version=5&package=php-4.6.17-
1.el5.remi-x86_64
- JSON result
- Vulnerabilities list
- Reason of the decision
- References list (exploits, and so on)
- Ready to go for Red Hat and Debian family
- Typical call time for 500+ packages list = 160ms
- It’s fast. Really fast.
36. Home made scanner
- Available at GitHub
- Example of integration
- Free to fork
37. It is absolutely free
- Free for commercial and enterprise use
- Make your own solutions using our powers:
- Security scanners
- Threat intelligence
- Subscriptions
- Security automation
- Just please, post references if you can