SlideShare a Scribd company logo

Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко (QIWI)

Download as PPTX, PDF
Ontico
Ontico

Vulners is a vulnerability intelligence platform founded by Igor Bulatenko and the Qiwi security team that aggregates security data and provides a fast, Google-style search engine for vulnerabilities. The platform aims to simplify vulnerability management and assessment by offering a unified model for data normalization, audit features, and customizable content subscriptions. Vulners also provides an API for easy integration with existing security systems and tools, enhancing the efficiency of vulnerability scanning and threat intelligence.

Engineering
1 of 38
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Vulnerability intelligence with vulners Igor Bulatenko
#:whoami - vulners.com co-founder - QIWI Group Security expert - Web penetration tester - Ex-security developer - JBFC community participant
#:groups - QIWI Security Team - Kirill “isox” Ermakov (core) - Igor “videns” Bulatenko (search) - Ivan “vankyver” Yolkin (frontend) - Alex “plex” Sekretov (parsers) - Alex Leonov (Analytics)
Vulnerabilities are the gateways by which threats are manifested SANS institute
Vulnerable - Vulnerability - weakness which allows an attacker to reduce a system's information assurance (Wiki) - Some kind of information that represents security issues - Format-free description of function f(object, conditions) returning True/False
Captain Obvious: Risks - Information systems takeover - Revocation of the licenses - Business continuity - Money loss - …and a lot of other bad things
Vulnerability management process - Mandatory component of information security - Need2be for a security-aware companies - Necessary to perform in accordance with the PCIDSS and others - Best practice for survival in the Internet
Quite easy overview
Content sources fail - Every product has it’s own source of vulnerability data - Most information is not acceptable for automatic vulnerability scanners - MITRE, NVD, SCAP, OVAL and others failed to standardize it - Everyone is working on their own - “Search”? Forget about it. Use Google instead.
Vendors are so cool - Human only readable format - Advisories instead of criteria - Differs from page to page - CSS wasn’t discovered yet - HTML actually too
Classics of vulnerability awareness - Security mailing lists - “Let’s talk about…” - Full of references and links - Guess the syntax
Vulnerability assessment - Vulnerability Scanners - Developed in 90th - Heavy deployment process - About 20-30 different vendors
Under the hood of the typical scanner - Scripting engine - PHP/Python/PAZL/NASL - Vulnerability checks - Hidden logic of detection
The Good, the Bad and the Ugly - Slow in big enterprises - Binary scripts - Missing central management - Agentless technology requiring rootprivileges - Inventory != vulnerability scan - Good model was designed years ago
Feature racing - Black magic challenge of collecting data - More checks = better scanner - Harmless pentest. ORLY? - Do you trust your security vendor?
Scanner check delay
OPS style security - Inventory is already done. No need to do it again. - You already have a dashboard - Targeted utilities acts better - Version range checks
Let’s start from the scratch - Established at 2015 by QIWI Security Team - Parsing and data collection framework - Built by security engineers for OPS - The only check to do: version range - Clear scanning process
vulners.com: Information security “Google” - Vulnerability source data aggregator - Created by security specialists for security specialists - Incredibly fast search engine - Normalized, machine-readable content - Audit features out-of-the-box - API-driven development
Content - Vendor security advisories - Exploit databases - Security scanners plugins and modules - Bug bounty programs - Informational resources - 0 days from security scanners - … 60+ different sources and growing
Normalization. We did it! - All data has unified model - Perfect for integration - Security scanners ready - Automatic updateable content - Analytics welcome
Coverage? One of the largest security DB’s
Search - Google-style search string - Dorks, advanced queries and many more - UX-driven - Human-oriented - References and data linkage - Extremely fast
Power of the aggregation - Unified model in database - Ability to perform correlation - Security scanners comparison - Reveal trends
API - REST/JSON - Integration focused scan features - Audit calls for self-made security scanners - Easy expandable - Content sharing features
Advanced queries - Any complex query - title:httpd type:centos order:published last 15 days cvss.score:[7 TO 10] - Sortable by any field of the model (type, CVSS, dates, reporter, etc) - Apache Lucene syntax (AND, OR and so on) - Exploit search by sources and CVE’s - cvelist:CVE-2014-0160 type:exploitdb - sourceData:.bash_profile - sourceData:"magic bytes”
Awareness as it should be - Inspired by Google Search subscriptions - Get the only content that you need - Query based subscription - Any delivery method: - RSS - Email - Telegram - API
RSS - Fully customizable news feed in RSS format - Powered by Apache Lucene query - https://vulners.com/rss.xml?query=type:debian - Updates-on-demand. No cache, it builds right when you ask it to. - Atom, Webfeeds, mrss compatible
Email subscriptions - Awareness service - Absolutely customizable
Telegram news bot - Up to 3 subscriptions for user - In-app search - Broadcast for emergency news
But…what about the scanner? - Security scanner as a service - Ready for Zabbix, Nagios, etc integration - As simple as ”rpm –qa” - Clear decision making logic
Package version scanning - Perform only host inventory - Can be done manually - Don’t need root privileges - Vendors data provided in a compatible format
Security audit - Linux OS vulnerability scan - Immediate results - Dramatically simple
Security audit API - Easy to use: Just give us output of package manager - https://vulners.com/api/v3/audit/rpm/?os=centos&version=5&package=php-4.6.17- 1.el5.remi-x86_64 - JSON result - Vulnerabilities list - Reason of the decision - References list (exploits, and so on) - Ready to go for Red Hat and Debian family - Typical call time for 500+ packages list = 160ms - It’s fast. Really fast.
Security audit API
Home made scanner - Available at GitHub - Example of integration - Free to fork
It is absolutely free - Free for commercial and enterprise use - Make your own solutions using our powers: - Security scanners - Threat intelligence - Subscriptions - Security automation - Just please, post references if you can 
Thanks - videns@vulners.com - https://github.com/videns/vulners-scanner/ - We are really trying to make this world better - Stop paying for features which are available for free

More Related Content

What's hot (20)

PDF
Csp and http headers
ColdFusionConference
 
PPTX
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
PDF
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
PPTX
Hashicorp Vault ppt
Shrey Agarwal
 
PDF
Security and Privacy on the Web in 2015
Francois Marier
 
PPTX
ModSecurity 3.0 and NGINX: Getting Started - EMEA
NGINX, Inc.
 
PDF
Modern tooling to assist with developing applications on FreeBSD
Sean Chittenden
 
PDF
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
PDF
Altitude SF 2017: Logging at the edge
Fastly
 
PDF
Keybase Vault Auto-Unseal HashiTalks2020
Bas Meijer
 
PDF
Consul First Steps
Marc Cluet
 
PDF
vert.x 소개 및 개발 실습
John Kim
 
PDF
Web前端性能优化 2014
Yubei Li
 
PDF
[OPD 2019] Attacking JWT tokens
OWASP
 
PDF
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
PPTX
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
PPTX
I See You
Andrew Beard
 
PDF
Rails Caching Secrets from the Edge
Michael May
 
PDF
Nessus and Reporting Karma
n|u - The Open Security Community
 
PDF
Nginx - The webserver you might actually like
Edorian
 
Csp and http headers
ColdFusionConference
 
OWASP ZAP Workshop for QA Testers
Javan Rasokat
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
Hashicorp Vault ppt
Shrey Agarwal
 
Security and Privacy on the Web in 2015
Francois Marier
 
ModSecurity 3.0 and NGINX: Getting Started - EMEA
NGINX, Inc.
 
Modern tooling to assist with developing applications on FreeBSD
Sean Chittenden
 
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
Altitude SF 2017: Logging at the edge
Fastly
 
Keybase Vault Auto-Unseal HashiTalks2020
Bas Meijer
 
Consul First Steps
Marc Cluet
 
vert.x 소개 및 개발 실습
John Kim
 
Web前端性能优化 2014
Yubei Li
 
[OPD 2019] Attacking JWT tokens
OWASP
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Outlyer
 
Rate Limiting with NGINX and NGINX Plus
NGINX, Inc.
 
I See You
Andrew Beard
 
Rails Caching Secrets from the Edge
Michael May
 
Nessus and Reporting Karma
n|u - The Open Security Community
 
Nginx - The webserver you might actually like
Edorian
 

Viewers also liked (20)

PPTX
Безопасность Node.js / Илья Вербицкий (Независимый консультант)
Ontico
 
PDF
ClickHouse: очень быстро и очень удобно / Виктор Тарнавский, Алексей Миловидо...
Ontico
 
PDF
Open Source SQL-базы данных вступили в эру миллионов запросов в секунду / Фед...
Ontico
 
PDF
Отладка производительности приложения на Erlang / Максим Лапшин (Erlyvideo)
Ontico
 
PDF
Archival Disc на смену Blu-ray: построение архивного хранилища на оптических ...
Ontico
 
PPSX
Архитектура поиска в Booking.com / Иван Круглов (Booking.com)
Ontico
 
PPTX
Архитектура хранения и отдачи фотографий в Badoo / Артем Денисов (Badoo)
Ontico
 
PDF
Highload на GPU, опыт Vinci / Олег Илларионов (ВКонтакте)
Ontico
 
PPTX
Неочевидные детали при запуске HTTPS в OK.Ru / Андрей Домась (Одноклассники)
Ontico
 
PPTX
Как мы готовим MySQL / Николай Королёв (Badoo)
Ontico
 
PDF
Хайлоад и безопасность в мире DevOps: совместимы ли? / Юрий Колесов (security...
Ontico
 
PDF
Измеряем энергопотребление с помощью Arduino / Алексей Лавренюк (Яндекс)
Ontico
 
PPTX
Пайплайн машинного обучения на Apache Spark / Павел Клеменков (Rambler&Co)
Ontico
 
PDF
История успеха Яндекс.Почты с PostgreSQL / Владимир Бородин (Яндекс)
Ontico
 
PDF
Микросервисы: опыт использования в нагруженном проекте / Вадим Мадисон (М-Тех)
Ontico
 
PDF
Порядок для скорости. Система структурирования фронтендовой части веб-приложе...
Ontico
 
PDF
Инфраструктура распределенных приложений на nodejs / Станислав Гуменюк (Rambl...
Ontico
 
PPTX
Сайт под управлением ERP или ERP под управлением сайта / Станислав Гоц (Lamod...
Ontico
 
PDF
Sphinx 3.0 и RT-индексы на основном поиске Avito / Андрей Смирнов, Вячеслав К...
Ontico
 
PDF
Hadoop: Code Injection, Distributed Fault Injection
Cloudera, Inc.
 
Безопасность Node.js / Илья Вербицкий (Независимый консультант)
Ontico
 
ClickHouse: очень быстро и очень удобно / Виктор Тарнавский, Алексей Миловидо...
Ontico
 
Open Source SQL-базы данных вступили в эру миллионов запросов в секунду / Фед...
Ontico
 
Отладка производительности приложения на Erlang / Максим Лапшин (Erlyvideo)
Ontico
 
Archival Disc на смену Blu-ray: построение архивного хранилища на оптических ...
Ontico
 
Архитектура поиска в Booking.com / Иван Круглов (Booking.com)
Ontico
 
Архитектура хранения и отдачи фотографий в Badoo / Артем Денисов (Badoo)
Ontico
 
Highload на GPU, опыт Vinci / Олег Илларионов (ВКонтакте)
Ontico
 
Неочевидные детали при запуске HTTPS в OK.Ru / Андрей Домась (Одноклассники)
Ontico
 
Как мы готовим MySQL / Николай Королёв (Badoo)
Ontico
 
Хайлоад и безопасность в мире DevOps: совместимы ли? / Юрий Колесов (security...
Ontico
 
Измеряем энергопотребление с помощью Arduino / Алексей Лавренюк (Яндекс)
Ontico
 
Пайплайн машинного обучения на Apache Spark / Павел Клеменков (Rambler&Co)
Ontico
 
История успеха Яндекс.Почты с PostgreSQL / Владимир Бородин (Яндекс)
Ontico
 
Микросервисы: опыт использования в нагруженном проекте / Вадим Мадисон (М-Тех)
Ontico
 
Порядок для скорости. Система структурирования фронтендовой части веб-приложе...
Ontico
 
Инфраструктура распределенных приложений на nodejs / Станислав Гуменюк (Rambl...
Ontico
 
Сайт под управлением ERP или ERP под управлением сайта / Станислав Гоц (Lamod...
Ontico
 
Sphinx 3.0 и RT-индексы на основном поиске Avito / Андрей Смирнов, Вячеслав К...
Ontico
 
Hadoop: Code Injection, Distributed Fault Injection
Cloudera, Inc.
 
Ad

Similar to Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко (QIWI) (20)

PPTX
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
 
PPTX
Why vulners? Short story about reinventing a wheel
Kirill Ermakov
 
PDF
Security awareness for information security team
Kirill Ermakov
 
PPTX
Serverless - minimizing the attack surface
Avi Shulman
 
PDF
Security Automation - Python - Introduction
Santhosh Baswa
 
PPTX
Using Splunk for Information Security
Splunk
 
PPTX
Using Splunk for Information Security
Shannon Cuthbertson
 
PDF
Vulners: Google for hackers
Kirill Ermakov
 
PDF
Présentation SIEM SOC Operation Analysts Tools P1
Khaledboufnina
 
PDF
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
PPT
Starwest 2008
Caleb Sima
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
PPT
Ending the Tyranny of Expensive Security Tools: A New Hope
Michele Chubirka
 
PPTX
dependency-check is ppt from owasp to test dependecies
AshishKandari9
 
PDF
DevSecOps and the CI/CD Pipeline
James Wickett
 
PPTX
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
PDF
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
PDF
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
PDF
soctool.pdf
nitinscribd
 
PPTX
Enterprise Sec + User Bahavior Analytics
Splunk
 
Vulnerability Intelligence and Assessment with vulners.com
Alexander Leonov
 
Why vulners? Short story about reinventing a wheel
Kirill Ermakov
 
Security awareness for information security team
Kirill Ermakov
 
Serverless - minimizing the attack surface
Avi Shulman
 
Security Automation - Python - Introduction
Santhosh Baswa
 
Using Splunk for Information Security
Splunk
 
Using Splunk for Information Security
Shannon Cuthbertson
 
Vulners: Google for hackers
Kirill Ermakov
 
Présentation SIEM SOC Operation Analysts Tools P1
Khaledboufnina
 
CI / CD / CS - Continuous Security in Kubernetes
Sysdig
 
Starwest 2008
Caleb Sima
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Ending the Tyranny of Expensive Security Tools: A New Hope
Michele Chubirka
 
dependency-check is ppt from owasp to test dependecies
AshishKandari9
 
DevSecOps and the CI/CD Pipeline
James Wickett
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
Abhay Bhargav
 
The DevSecOps Builder’s Guide to the CI/CD Pipeline
James Wickett
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
soctool.pdf
nitinscribd
 
Enterprise Sec + User Bahavior Analytics
Splunk
 
Ad

More from Ontico (20)

PDF
One-cloud — система управления дата-центром в Одноклассниках / Олег Анастасье...
Ontico
 
PDF
Масштабируя DNS / Артем Гавриченков (Qrator Labs)
Ontico
 
PPTX
Создание BigData-платформы для ФГУП Почта России / Андрей Бащенко (Luxoft)
Ontico
 
PDF
Готовим тестовое окружение, или сколько тестовых инстансов вам нужно / Алекса...
Ontico
 
PDF
Новые технологии репликации данных в PostgreSQL / Александр Алексеев (Postgre...
Ontico
 
PDF
PostgreSQL Configuration for Humans / Alvaro Hernandez (OnGres)
Ontico
 
PDF
Inexpensive Datamasking for MySQL with ProxySQL — Data Anonymization for Deve...
Ontico
 
PDF
Опыт разработки модуля межсетевого экранирования для MySQL / Олег Брославский...
Ontico
 
PPTX
ProxySQL Use Case Scenarios / Alkin Tezuysal (Percona)
Ontico
 
PPTX
MySQL Replication — Advanced Features / Петр Зайцев (Percona)
Ontico
 
PDF
Внутренний open-source. Как разрабатывать мобильное приложение большим количе...
Ontico
 
PPTX
Подробно о том, как Causal Consistency реализовано в MongoDB / Михаил Тюленев...
Ontico
 
PPTX
Балансировка на скорости проводов. Без ASIC, без ограничений. Решения NFWare ...
Ontico
 
PDF
Перехват трафика — мифы и реальность / Евгений Усков (Qrator Labs)
Ontico
 
PPT
И тогда наверняка вдруг запляшут облака! / Алексей Сушков (ПЕТЕР-СЕРВИС)
Ontico
 
PPTX
Как мы заставили Druid работать в Одноклассниках / Юрий Невиницин (OK.RU)
Ontico
 
PPTX
Разгоняем ASP.NET Core / Илья Вербицкий (WebStoating s.r.o.)
Ontico
 
PPTX
100500 способов кэширования в Oracle Database или как достичь максимальной ск...
Ontico
 
PPTX
Apache Ignite Persistence: зачем Persistence для In-Memory, и как он работает...
Ontico
 
PDF
Механизмы мониторинга баз данных: взгляд изнутри / Дмитрий Еманов (Firebird P...
Ontico
 
One-cloud — система управления дата-центром в Одноклассниках / Олег Анастасье...
Ontico
 
Масштабируя DNS / Артем Гавриченков (Qrator Labs)
Ontico
 
Создание BigData-платформы для ФГУП Почта России / Андрей Бащенко (Luxoft)
Ontico
 
Готовим тестовое окружение, или сколько тестовых инстансов вам нужно / Алекса...
Ontico
 
Новые технологии репликации данных в PostgreSQL / Александр Алексеев (Postgre...
Ontico
 
PostgreSQL Configuration for Humans / Alvaro Hernandez (OnGres)
Ontico
 
Inexpensive Datamasking for MySQL with ProxySQL — Data Anonymization for Deve...
Ontico
 
Опыт разработки модуля межсетевого экранирования для MySQL / Олег Брославский...
Ontico
 
ProxySQL Use Case Scenarios / Alkin Tezuysal (Percona)
Ontico
 
MySQL Replication — Advanced Features / Петр Зайцев (Percona)
Ontico
 
Внутренний open-source. Как разрабатывать мобильное приложение большим количе...
Ontico
 
Подробно о том, как Causal Consistency реализовано в MongoDB / Михаил Тюленев...
Ontico
 
Балансировка на скорости проводов. Без ASIC, без ограничений. Решения NFWare ...
Ontico
 
Перехват трафика — мифы и реальность / Евгений Усков (Qrator Labs)
Ontico
 
И тогда наверняка вдруг запляшут облака! / Алексей Сушков (ПЕТЕР-СЕРВИС)
Ontico
 
Как мы заставили Druid работать в Одноклассниках / Юрий Невиницин (OK.RU)
Ontico
 
Разгоняем ASP.NET Core / Илья Вербицкий (WebStoating s.r.o.)
Ontico
 
100500 способов кэширования в Oracle Database или как достичь максимальной ск...
Ontico
 
Apache Ignite Persistence: зачем Persistence для In-Memory, и как он работает...
Ontico
 
Механизмы мониторинга баз данных: взгляд изнутри / Дмитрий Еманов (Firebird P...
Ontico
 

Recently uploaded (20)

PDF
Pressure Measurement training for engineers and Technicians
AIESOLUTIONS
 
PPT
Testing and final inspection of a solar PV system
MuhammadSanni2
 
PPTX
What is Shot Peening | Shot Peening is a Surface Treatment Process
Vibra Finish
 
PPTX
Knowledge Representation : Semantic Networks
Amity University, Patna
 
PDF
MODULE-5 notes [BCG402-CG&V] PART-B.pdf
Alvas Institute of Engineering and technology, Moodabidri
 
PDF
SERVERLESS PERSONAL TO-DO LIST APPLICATION
anushaashraf20
 
PDF
Reasons for the succes of MENARD PRESSUREMETER.pdf
majdiamz
 
PPTX
MODULE 05 - CLOUD COMPUTING AND SECURITY.pptx
Alvas Institute of Engineering and technology, Moodabidri
 
PDF
Basic_Concepts_in_Clinical_Biochemistry_2018كيمياء_عملي.pdf
AdelLoin
 
PDF
Design Thinking basics for Engineers.pdf
CMR University
 
PPTX
Water Resources Engineering (CVE 728)--Slide 4.pptx
mohammedado3
 
PPTX
Mechanical Design of shell and tube heat exchangers as per ASME Sec VIII Divi...
shahveer210504
 
PPTX
Lecture 1 Shell and Tube Heat exchanger-1.pptx
mailforillegalwork
 
PDF
Water Industry Process Automation & Control Monthly July 2025
Water Industry Process Automation & Control
 
PPTX
美国电子版毕业证南卡罗莱纳大学上州分校水印成绩单USC学费发票定做学位证书编号怎么查
Taqyea
 
PPT
New_school_Engineering_presentation_011707.ppt
VinayKumar304579
 
PPTX
DATA BASE MANAGEMENT AND RELATIONAL DATA
gomathisankariv2
 
PPTX
Worm gear strength and wear calculation as per standard VB Bhandari Databook.
shahveer210504
 
PDF
mbse_An_Introduction_to_Arcadia_20150115.pdf
henriqueltorres1
 
PDF
methodology-driven-mbse-murphy-july-hsv-huntsville6680038572db67488e78ff00003...
henriqueltorres1
 
Pressure Measurement training for engineers and Technicians
AIESOLUTIONS
 
Testing and final inspection of a solar PV system
MuhammadSanni2
 
What is Shot Peening | Shot Peening is a Surface Treatment Process
Vibra Finish
 
Knowledge Representation : Semantic Networks
Amity University, Patna
 
MODULE-5 notes [BCG402-CG&V] PART-B.pdf
Alvas Institute of Engineering and technology, Moodabidri
 
SERVERLESS PERSONAL TO-DO LIST APPLICATION
anushaashraf20
 
Reasons for the succes of MENARD PRESSUREMETER.pdf
majdiamz
 
MODULE 05 - CLOUD COMPUTING AND SECURITY.pptx
Alvas Institute of Engineering and technology, Moodabidri
 
Basic_Concepts_in_Clinical_Biochemistry_2018كيمياء_عملي.pdf
AdelLoin
 
Design Thinking basics for Engineers.pdf
CMR University
 
Water Resources Engineering (CVE 728)--Slide 4.pptx
mohammedado3
 
Mechanical Design of shell and tube heat exchangers as per ASME Sec VIII Divi...
shahveer210504
 
Lecture 1 Shell and Tube Heat exchanger-1.pptx
mailforillegalwork
 
Water Industry Process Automation & Control Monthly July 2025
Water Industry Process Automation & Control
 
美国电子版毕业证南卡罗莱纳大学上州分校水印成绩单USC学费发票定做学位证书编号怎么查
Taqyea
 
New_school_Engineering_presentation_011707.ppt
VinayKumar304579
 
DATA BASE MANAGEMENT AND RELATIONAL DATA
gomathisankariv2
 
Worm gear strength and wear calculation as per standard VB Bhandari Databook.
shahveer210504
 
mbse_An_Introduction_to_Arcadia_20150115.pdf
henriqueltorres1
 
methodology-driven-mbse-murphy-july-hsv-huntsville6680038572db67488e78ff00003...
henriqueltorres1
 

Vulnerability intelligence with vulners.com / Кирилл Ермаков, Игорь Булатенко (QIWI)

  • 2. #:whoami - vulners.com co-founder - QIWI Group Security expert - Web penetration tester - Ex-security developer - JBFC community participant
  • 3. #:groups - QIWI Security Team - Kirill “isox” Ermakov (core) - Igor “videns” Bulatenko (search) - Ivan “vankyver” Yolkin (frontend) - Alex “plex” Sekretov (parsers) - Alex Leonov (Analytics)
  • 4. Vulnerabilities are the gateways by which threats are manifested SANS institute
  • 5. Vulnerable - Vulnerability - weakness which allows an attacker to reduce a system's information assurance (Wiki) - Some kind of information that represents security issues - Format-free description of function f(object, conditions) returning True/False
  • 6. Captain Obvious: Risks - Information systems takeover - Revocation of the licenses - Business continuity - Money loss - …and a lot of other bad things
  • 7. Vulnerability management process - Mandatory component of information security - Need2be for a security-aware companies - Necessary to perform in accordance with the PCIDSS and others - Best practice for survival in the Internet
  • 9. Content sources fail - Every product has it’s own source of vulnerability data - Most information is not acceptable for automatic vulnerability scanners - MITRE, NVD, SCAP, OVAL and others failed to standardize it - Everyone is working on their own - “Search”? Forget about it. Use Google instead.
  • 10. Vendors are so cool - Human only readable format - Advisories instead of criteria - Differs from page to page - CSS wasn’t discovered yet - HTML actually too
  • 11. Classics of vulnerability awareness - Security mailing lists - “Let’s talk about…” - Full of references and links - Guess the syntax
  • 12. Vulnerability assessment - Vulnerability Scanners - Developed in 90th - Heavy deployment process - About 20-30 different vendors
  • 13. Under the hood of the typical scanner - Scripting engine - PHP/Python/PAZL/NASL - Vulnerability checks - Hidden logic of detection
  • 14. The Good, the Bad and the Ugly - Slow in big enterprises - Binary scripts - Missing central management - Agentless technology requiring rootprivileges - Inventory != vulnerability scan - Good model was designed years ago
  • 15. Feature racing - Black magic challenge of collecting data - More checks = better scanner - Harmless pentest. ORLY? - Do you trust your security vendor?
  • 17. OPS style security - Inventory is already done. No need to do it again. - You already have a dashboard - Targeted utilities acts better - Version range checks
  • 18. Let’s start from the scratch - Established at 2015 by QIWI Security Team - Parsing and data collection framework - Built by security engineers for OPS - The only check to do: version range - Clear scanning process
  • 19. vulners.com: Information security “Google” - Vulnerability source data aggregator - Created by security specialists for security specialists - Incredibly fast search engine - Normalized, machine-readable content - Audit features out-of-the-box - API-driven development
  • 20. Content - Vendor security advisories - Exploit databases - Security scanners plugins and modules - Bug bounty programs - Informational resources - 0 days from security scanners - … 60+ different sources and growing
  • 21. Normalization. We did it! - All data has unified model - Perfect for integration - Security scanners ready - Automatic updateable content - Analytics welcome
  • 22. Coverage? One of the largest security DB’s
  • 23. Search - Google-style search string - Dorks, advanced queries and many more - UX-driven - Human-oriented - References and data linkage - Extremely fast
  • 24. Power of the aggregation - Unified model in database - Ability to perform correlation - Security scanners comparison - Reveal trends
  • 25. API - REST/JSON - Integration focused scan features - Audit calls for self-made security scanners - Easy expandable - Content sharing features
  • 26. Advanced queries - Any complex query - title:httpd type:centos order:published last 15 days cvss.score:[7 TO 10] - Sortable by any field of the model (type, CVSS, dates, reporter, etc) - Apache Lucene syntax (AND, OR and so on) - Exploit search by sources and CVE’s - cvelist:CVE-2014-0160 type:exploitdb - sourceData:.bash_profile - sourceData:"magic bytes”
  • 27. Awareness as it should be - Inspired by Google Search subscriptions - Get the only content that you need - Query based subscription - Any delivery method: - RSS - Email - Telegram - API
  • 28. RSS - Fully customizable news feed in RSS format - Powered by Apache Lucene query - https://vulners.com/rss.xml?query=type:debian - Updates-on-demand. No cache, it builds right when you ask it to. - Atom, Webfeeds, mrss compatible
  • 29. Email subscriptions - Awareness service - Absolutely customizable
  • 30. Telegram news bot - Up to 3 subscriptions for user - In-app search - Broadcast for emergency news
  • 31. But…what about the scanner? - Security scanner as a service - Ready for Zabbix, Nagios, etc integration - As simple as ”rpm –qa” - Clear decision making logic
  • 32. Package version scanning - Perform only host inventory - Can be done manually - Don’t need root privileges - Vendors data provided in a compatible format
  • 33. Security audit - Linux OS vulnerability scan - Immediate results - Dramatically simple
  • 34. Security audit API - Easy to use: Just give us output of package manager - https://vulners.com/api/v3/audit/rpm/?os=centos&version=5&package=php-4.6.17- 1.el5.remi-x86_64 - JSON result - Vulnerabilities list - Reason of the decision - References list (exploits, and so on) - Ready to go for Red Hat and Debian family - Typical call time for 500+ packages list = 160ms - It’s fast. Really fast.
  • 36. Home made scanner - Available at GitHub - Example of integration - Free to fork
  • 37. It is absolutely free - Free for commercial and enterprise use - Make your own solutions using our powers: - Security scanners - Threat intelligence - Subscriptions - Security automation - Just please, post references if you can 
  • 38. Thanks - [email protected] - https://github.com/videns/vulners-scanner/ - We are really trying to make this world better - Stop paying for features which are available for free