Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко (QIWI)
•Transferir como PPTX, PDF•
0 gostou•1,877 visualizações
С чем у вас ассоциируется получение информации об уязвимостях? Почтовые списки, рассылки вендоров, репорты сканеров информационной безопасности и огромное многообразие источников данных, включая даже индивидуально настроенные обновления на поисковые запросы в Google. Вы используете разные платформы, множество аппаратных решений и целый букет библиотек в зависимостях вашего кода. Как отличить тот момент, когда пора все бросать и бежать ставить патчи, от minor-проблемы, не требующей мгновенных действий? Разрозненность данных, отсутствие унификации и миллион источников отлично характеризуют ситуацию. Казалось бы, CVE и CPE решили эту проблему. Да, каждая уязвимость имеет свой уникальный идентификатор, CVSS-вектор и привязку к уязвимому продукту. Можно отслеживать появление новых и вчитываться в суть проблемы. Но вы точно хотите выделить под это отдельного человека? В своем докладе мы раскроем, почему SCAP не решил проблему, как собрать все воедино в одном формате и создать одну из крупнейших бесплатных баз данных уязвимостей. Python, Elasticsearch, MongoDB и все-все-все. Также мы коснемся интимной темы vulnerability intelligence, расскажем, как просканировать Linux на наличие уязвимостей "бесплатно без SMS" за 160 миллисекунд и сделать систему оповещения о новых уязвимостях такой, какая нужна именно вам.
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (20)
Semelhante a Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко (QIWI)
Semelhante a Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко (QIWI) (20)
Mais de Ontico
Mais de Ontico (20)
Último
Último (20)
Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко (QIWI)
- 1. Vulnerability intelligence with vulners Igor Bulatenko
- 2. #:whoami - vulners.com co-founder - QIWI Group Security expert - Web penetration tester - Ex-security developer - JBFC community participant
- 3. #:groups - QIWI Security Team - Kirill “isox” Ermakov (core) - Igor “videns” Bulatenko (search) - Ivan “vankyver” Yolkin (frontend) - Alex “plex” Sekretov (parsers) - Alex Leonov (Analytics)
- 4. Vulnerabilities are the gateways by which threats are manifested SANS institute
- 5. Vulnerable - Vulnerability - weakness which allows an attacker to reduce a system's information assurance (Wiki) - Some kind of information that represents security issues - Format-free description of function f(object, conditions) returning True/False
- 6. Captain Obvious: Risks - Information systems takeover - Revocation of the licenses - Business continuity - Money loss - …and a lot of other bad things
- 7. Vulnerability management process - Mandatory component of information security - Need2be for a security-aware companies - Necessary to perform in accordance with the PCIDSS and others - Best practice for survival in the Internet
- 9. Content sources fail - Every product has it’s own source of vulnerability data - Most information is not acceptable for automatic vulnerability scanners - MITRE, NVD, SCAP, OVAL and others failed to standardize it - Everyone is working on their own - “Search”? Forget about it. Use Google instead.
- 10. Vendors are so cool - Human only readable format - Advisories instead of criteria - Differs from page to page - CSS wasn’t discovered yet - HTML actually too
- 11. Classics of vulnerability awareness - Security mailing lists - “Let’s talk about…” - Full of references and links - Guess the syntax
- 12. Vulnerability assessment - Vulnerability Scanners - Developed in 90th - Heavy deployment process - About 20-30 different vendors
- 13. Under the hood of the typical scanner - Scripting engine - PHP/Python/PAZL/NASL - Vulnerability checks - Hidden logic of detection
- 14. The Good, the Bad and the Ugly - Slow in big enterprises - Binary scripts - Missing central management - Agentless technology requiring rootprivileges - Inventory != vulnerability scan - Good model was designed years ago
- 15. Feature racing - Black magic challenge of collecting data - More checks = better scanner - Harmless pentest. ORLY? - Do you trust your security vendor?
- 17. OPS style security - Inventory is already done. No need to do it again. - You already have a dashboard - Targeted utilities acts better - Version range checks
- 18. Let’s start from the scratch - Established at 2015 by QIWI Security Team - Parsing and data collection framework - Built by security engineers for OPS - The only check to do: version range - Clear scanning process
- 19. vulners.com: Information security “Google” - Vulnerability source data aggregator - Created by security specialists for security specialists - Incredibly fast search engine - Normalized, machine-readable content - Audit features out-of-the-box - API-driven development
- 20. Content - Vendor security advisories - Exploit databases - Security scanners plugins and modules - Bug bounty programs - Informational resources - 0 days from security scanners - … 60+ different sources and growing
- 21. Normalization. We did it! - All data has unified model - Perfect for integration - Security scanners ready - Automatic updateable content - Analytics welcome
- 22. Coverage? One of the largest security DB’s
- 23. Search - Google-style search string - Dorks, advanced queries and many more - UX-driven - Human-oriented - References and data linkage - Extremely fast
- 24. Power of the aggregation - Unified model in database - Ability to perform correlation - Security scanners comparison - Reveal trends
- 25. API - REST/JSON - Integration focused scan features - Audit calls for self-made security scanners - Easy expandable - Content sharing features
- 26. Advanced queries - Any complex query - title:httpd type:centos order:published last 15 days cvss.score:[7 TO 10] - Sortable by any field of the model (type, CVSS, dates, reporter, etc) - Apache Lucene syntax (AND, OR and so on) - Exploit search by sources and CVE’s - cvelist:CVE-2014-0160 type:exploitdb - sourceData:.bash_profile - sourceData:"magic bytes”
- 27. Awareness as it should be - Inspired by Google Search subscriptions - Get the only content that you need - Query based subscription - Any delivery method: - RSS - Email - Telegram - API
- 28. RSS - Fully customizable news feed in RSS format - Powered by Apache Lucene query - https://vulners.com/rss.xml?query=type:debian - Updates-on-demand. No cache, it builds right when you ask it to. - Atom, Webfeeds, mrss compatible
- 29. Email subscriptions - Awareness service - Absolutely customizable
- 30. Telegram news bot - Up to 3 subscriptions for user - In-app search - Broadcast for emergency news
- 31. But…what about the scanner? - Security scanner as a service - Ready for Zabbix, Nagios, etc integration - As simple as ”rpm –qa” - Clear decision making logic
- 32. Package version scanning - Perform only host inventory - Can be done manually - Don’t need root privileges - Vendors data provided in a compatible format
- 33. Security audit - Linux OS vulnerability scan - Immediate results - Dramatically simple
- 34. Security audit API - Easy to use: Just give us output of package manager - https://vulners.com/api/v3/audit/rpm/?os=centos&version=5&package=php-4.6.17- 1.el5.remi-x86_64 - JSON result - Vulnerabilities list - Reason of the decision - References list (exploits, and so on) - Ready to go for Red Hat and Debian family - Typical call time for 500+ packages list = 160ms - It’s fast. Really fast.
- 36. Home made scanner - Available at GitHub - Example of integration - Free to fork
- 37. It is absolutely free - Free for commercial and enterprise use - Make your own solutions using our powers: - Security scanners - Threat intelligence - Subscriptions - Security automation - Just please, post references if you can
- 38. Thanks - videns@vulners.com - https://github.com/videns/vulners-scanner/ - We are really trying to make this world better - Stop paying for features which are available for free