Another way to solve vulnerability management problem

1. Vulnerability intelligence
with vulners
Igor Bulatenko

2. #:whoami
- vulners.com co-founder
- QIWI Group Security expert
- Web penetration tester
- Ex-security developer
- JBFC community participant

3. #:groups
- QIWI Security Team
- Kirill “isox” Ermakov (core)
- Igor “videns” Bulatenko (search)
- Ivan “vankyver” Yolkin (frontend)
- Alex “plex” Sekretov (parsers)
- Alex Leonov (Analytics)

4. Vulnerabilities are the gateways
by which threats are manifested
SANS institute

5. Vulnerable
- Vulnerability - weakness which allows an attacker to reduce a
system's information assurance (Wiki)
- Some kind of information that represents security issues
- Format-free description of function f(object, conditions) returning
True/False

6. Captain Obvious: Risks
- Information systems takeover
- Revocation of the licenses
- Business continuity
- Money loss
- …and a lot of other bad things

7. Vulnerability management process
- Mandatory component of information security
- Need2be for a security-aware companies
- Necessary to perform in accordance with the PCIDSS and others
- Best practice for survival in the Internet

8. Quite easy overview

9. Content sources fail
- Every product has it’s own source of vulnerability data
- Most information is not acceptable for automatic vulnerability scanners
- MITRE, NVD, SCAP, OVAL and others failed to standardize it
- Everyone is working on their own
- “Search”? Forget about it. Use Google instead.

10. Vendors are so cool
- Human only readable format
- Advisories instead of criteria
- Differs from page to page
- CSS wasn’t discovered yet
- HTML actually too

11. Classics of vulnerability awareness
- Security mailing lists
- “Let’s talk about…”
- Full of references and links
- Guess the syntax

12. Vulnerability assessment
- Vulnerability Scanners
- Developed in 90th
- Heavy deployment process
- About 20-30 different vendors

13. Under the hood of the typical scanner
- Scripting engine
- PHP/Python/PAZL/NASL
- Vulnerability checks
- Hidden logic of detection

14. The Good, the Bad and the Ugly
- Slow in big enterprises
- Binary scripts
- Missing central management
- Agentless technology requiring rootprivileges
- Inventory != vulnerability scan
- Good model was designed years ago

15. Feature racing
- Black magic challenge of collecting data
- More checks = better scanner
- Harmless pentest. ORLY?
- Do you trust your security vendor?

16. Scanner check delay

17. OPS style security
- Inventory is already done. No need to do it again.
- You already have a dashboard
- Targeted utilities acts better
- Version range checks

18. Let’s start from the scratch
- Established at 2015 by QIWI Security Team
- Parsing and data collection framework
- Built by security engineers for OPS
- The only check to do: version range
- Clear scanning process

19. vulners.com: Information security “Google”
- Vulnerability source data aggregator
- Created by security specialists for security specialists
- Incredibly fast search engine
- Normalized, machine-readable content
- Audit features out-of-the-box
- API-driven development

20. Content
- Vendor security advisories
- Exploit databases
- Security scanners plugins and modules
- Bug bounty programs
- Informational resources
- 0 days from security scanners
- … 60+ different sources and growing

21. Normalization. We did it!
- All data has unified model
- Perfect for integration
- Security scanners ready
- Automatic updateable content
- Analytics welcome

22. Coverage? One of the largest security DB’s

23. Search
- Google-style search string
- Dorks, advanced queries and many more
- UX-driven
- Human-oriented
- References and data linkage
- Extremely fast

24. Power of the aggregation
- Unified model in database
- Ability to perform correlation
- Security scanners comparison
- Reveal trends

25. API
- REST/JSON
- Integration focused scan features
- Audit calls for self-made
security scanners
- Easy expandable
- Content sharing features

26. Advanced queries
- Any complex query
- title:httpd type:centos order:published last 15 days cvss.score:[7 TO 10]
- Sortable by any field of the model (type, CVSS, dates, reporter, etc)
- Apache Lucene syntax (AND, OR and so on)
- Exploit search by sources and CVE’s
- cvelist:CVE-2014-0160 type:exploitdb
- sourceData:.bash_profile
- sourceData:"magic bytes”

27. Awareness as it should be
- Inspired by Google Search subscriptions
- Get the only content that you need
- Query based subscription
- Any delivery method:
- RSS
- Email
- Telegram
- API

28. RSS
- Fully customizable news feed in RSS format
- Powered by Apache Lucene query
- https://vulners.com/rss.xml?query=type:debian
- Updates-on-demand. No cache, it builds right when you ask it to.
- Atom, Webfeeds, mrss compatible

29. Email subscriptions
- Awareness service
- Absolutely customizable

30. Telegram news bot
- Up to 3 subscriptions for user
- In-app search
- Broadcast for emergency news

31. But…what about the scanner?
- Security scanner as a service
- Ready for Zabbix, Nagios, etc integration
- As simple as ”rpm –qa”
- Clear decision making logic

32. Package version scanning
- Perform only host inventory
- Can be done manually
- Don’t need root privileges
- Vendors data provided in a compatible format

33. Security audit
- Linux OS vulnerability scan
- Immediate results
- Dramatically simple

34. Security audit API
- Easy to use: Just give us output of package manager
- https://vulners.com/api/v3/audit/rpm/?os=centos&version=5&package=php-4.6.17-
1.el5.remi-x86_64
- JSON result
- Vulnerabilities list
- Reason of the decision
- References list (exploits, and so on)
- Ready to go for Red Hat and Debian family
- Typical call time for 500+ packages list = 160ms
- It’s fast. Really fast.

35. Security audit API

36. Home made scanner
- Available at GitHub
- Example of integration
- Free to fork

37. It is absolutely free
- Free for commercial and enterprise use
- Make your own solutions using our powers:
- Security scanners
- Threat intelligence
- Subscriptions
- Security automation
- Just please, post references if you can 

38. Thanks
- videns@vulners.com
- https://github.com/videns/vulners-scanner/
- We are really trying to make this world better
- Stop paying for features which are available for free