Last Tuesday and Wednesday, May 23-24, I attended PHDays VII conference in Moscow. I was talking there about vulnerability databases and the evolution process of vulnerability assessment tools, as far as I understand it. Read more and watch video: https://avleonov.com/2017/05/29/phdays-vii-to-vulnerability-database-and-beyond/
7. Vulnerability
Base
Search System
Notification Service
Vulnerability Intelligence
API
Applicability Verification
+ Detection Rules & Plugins
+ Transports
Vulnerability
Scanner
+ Dashboards
+ TaskTracker
Vulnerability
Management
+ Infrastructure
context
Threat/Risk
Management
7
8. Still a Vulnerability Database!
Vulnerability
Base
8
- Vulnerabilities your vendor knows/don’t know
- Vulnerabilities your vendor can/can’t detect in
various modes
- How quickly your vendor adds detection
plugins
13. 13
Vulnerability Hype
- Researchers can overestimate the importance of vulnerability
for self-promotion
- Hyped vulnerability: really critical or not?
- What is out of scope?
16. 16
CVSS
- Every CVSS vector was filled manually by some analyst
- Appear in databases with a significant latency
- For the most vulnerabilities Temporal Vector is not available
- Doesn't express current relevance and criticality based on all
factors
17. 17
CVSS
High / CVSS Base Score : 5.0 Medium
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
High / CVSS Base Score : 9.4 High
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N)
Heartbleed
CVE-2014-0160
https://www.tenable.com/plugins/index.php?view=single&id=73412
Confidentiality Impact: Complete or Partial?
Integrity Impact: None or Complete?
18. 18
CVSS
“CVSSv3 doesn’t fix the major disparities with data confidentiality.
Instead the whole flawed section is exactly the same.”
https://www.pentestpartners.com/blog/cvssv3-whats-changed-or-why-even-bother/
35. 35
Problems
- It’s all about CVEs
One vulnerability - a lot of CVEs
Vulnerabilities without CVEs
- Subjective formulas for Danger and Relevance
- Data sources