SlideShare a Scribd company logo

Automated Vulnerability Assessment and Management

ITEM
ITEM

My talk will be about an automated way of Vulnerability Assessment and Management that includes a real-time demo of the Archery tool, how to use it for Vulnerability Assessment Automation and Management. We'll discuss how we can utilize open-source tools to perform vulnerability assessment in a robust way and manage them using Archery tool. Archery is an open-source vulnerability assessment and management tool that helps developers and pentesters to perform scans and manage vulnerabilities. It uses popular open-source tools and also supports commercial tools to perform comprehensive scanning for web application and network. It also performs web application dynamic authenticated scanning and covers the whole applications by using selenium. The developers can also utilize the tool for implementation of their DevOps CI/CD environment.

Technology
1 of 16
Download to read offline
Automated Vulnerability Assessment and Management
whoami! • Bug Hunter on Internet – disclosed vulnerability @Google, @Facebook, @Twitter etc. • I’m Anand Tiwari • Pentester – WebApp, MobApp & Network • Working @ Philips Healthcare on Securing Medical Devices. • 5+ Years of Experience in InfoSec. • I love Automation for repeated work.
agenda •What is Vulnerability Assessment & Management. •Archery - Open Source VA/VM Tool. •Challenges in VA/VM. •How Archery works ? •Automated Web Application Dynamic Scanning. •Demo time. •Roadmap •How to Contribute ? •Q/A
Source - Google Vulnerability Assessment.
Vulnerability Management. Source - Google
Challenges in VA/VM • Multiple scanners. • Manage huge list of vulnerabilities. • Analysis and removing false positive. • Prioritising vulnerabilities. • Tracking vulnerability mitigation. • Organizing Periodic scans.
Archery - Open Source VA/VM Tool. • Open Source Vulnerability Assessment and Management Tool. • Automate Vulnerability Scanners. • Vulnerability data Dashboard. • Helping you on Managing & Prioritising Vulnerabilities. • Useful for Pentesters & Developers. • Easy to integrate in CI/CD environment. • Build in Python using Django.
How Archery works ? Scanners Archery Result Parsing Archery Database ZAP Data Burp Data OpenVAS Data Dashboard
Web Application Dynamic Authenticated scanning. Input URL Cookies db ZAP Replacer ZAP Scanner Selenium Webdriver
Demo
Roadmap • More open source and commercial tool plugin support. • API Scanning and management. • Mobile Vulnerability Management. • Vulnerability PoC pictures. • Cloud security scanning. • Reporting Format.
How to Contribute ? • Test Archery Tool • Write scanners plugin or suggest us scanner support. • Use / Promote / write about the tool. • Report issue & feedback @ https://github.com/ archerysec/archerysec/issues
Documentation • http://www.archerysec.info • https://archerysec.github.io/archerysec/ • https://archerysec.github.io/archerysecapi/
Contact • Twitter - https://twitter.com/archerysec • Facebook - https://www.facebook.com/ ArcherySec/ • GitHub - https://github.com/archerysec/
Automated Vulnerability Assessment and Management

Recommended

Searching For Reliable Resources
Searching For Reliable ResourcesSearching For Reliable Resources
Searching For Reliable Resourcesguest2c109f1
 
Searching For Reliable Resources
Searching For Reliable ResourcesSearching For Reliable Resources
Searching For Reliable Resourcesguest24e3a2e
 
Quantified Self On A Budget
Quantified Self On A BudgetQuantified Self On A Budget
Quantified Self On A Budget
Ernesto Ramirez
 
Webinar Slides: The Mobilegeddon Survival Kit for Higher Education
Webinar Slides: The Mobilegeddon Survival Kit for Higher EducationWebinar Slides: The Mobilegeddon Survival Kit for Higher Education
Webinar Slides: The Mobilegeddon Survival Kit for Higher Education
Converge Consulting
 
Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018
Anand Tiwari
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
Unlocking Cyber Insights: Hacker-Mindset
Unlocking Cyber Insights: Hacker-MindsetUnlocking Cyber Insights: Hacker-Mindset
Unlocking Cyber Insights: Hacker-Mindset
champubhaiya8
 
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Alan Richardson
 

Recommended

Searching For Reliable Resources
Searching For Reliable ResourcesSearching For Reliable Resources
Searching For Reliable Resourcesguest2c109f1
 
Searching For Reliable Resources
Searching For Reliable ResourcesSearching For Reliable Resources
Searching For Reliable Resourcesguest24e3a2e
 
Quantified Self On A Budget
Quantified Self On A BudgetQuantified Self On A Budget
Quantified Self On A Budget
Ernesto Ramirez
 
Webinar Slides: The Mobilegeddon Survival Kit for Higher Education
Webinar Slides: The Mobilegeddon Survival Kit for Higher EducationWebinar Slides: The Mobilegeddon Survival Kit for Higher Education
Webinar Slides: The Mobilegeddon Survival Kit for Higher Education
Converge Consulting
 
Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018 Archery - BlackHat Asia 2018
Archery - BlackHat Asia 2018
Anand Tiwari
 
Web Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug BountiesWeb Application Security And Getting Into Bug Bounties
Web Application Security And Getting Into Bug Bounties
kunwaratul hax0r
 
Unlocking Cyber Insights: Hacker-Mindset
Unlocking Cyber Insights: Hacker-MindsetUnlocking Cyber Insights: Hacker-Mindset
Unlocking Cyber Insights: Hacker-Mindset
champubhaiya8
 
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Risk Mitigation Using Exploratory and Technical Testing - QASymphony Webinar ...
Alan Richardson
 
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
Ciaran McNally
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
kdinerman
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech Talk
Netsparker
 
App testing and publishing
App testing and publishingApp testing and publishing
App testing and publishing
Niall Roche
 
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarRisk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
QASymphony
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
Security Innovation
 
Thomas Haver - Mobile Testing.pdf
Thomas Haver - Mobile Testing.pdfThomas Haver - Mobile Testing.pdf
Thomas Haver - Mobile Testing.pdf
QA or the Highway
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
Chong-Kuan Chen
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
Jason Hong
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
kdinerman
 
Web testing
Web testingWeb testing
Web testingSvitlana Dubyk
 
Web testing
Web testingWeb testing
Web testingQA Club Kiev
 
Strategies for Mobile Web Application Testing
Strategies for Mobile Web Application TestingStrategies for Mobile Web Application Testing
Strategies for Mobile Web Application Testing
TechWell
 
Quality Spy Overview
Quality Spy OverviewQuality Spy Overview
Quality Spy Overview
AndreasKleffel
 
Visual studio 2015 - Application Insights
Visual studio 2015 - Application InsightsVisual studio 2015 - Application Insights
Visual studio 2015 - Application Insights
Delta-N
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 
Тестирование искусственного интеллекта: с какой стороны подступиться?
Тестирование искусственного интеллекта: с какой стороны подступиться?Тестирование искусственного интеллекта: с какой стороны подступиться?
Тестирование искусственного интеллекта: с какой стороны подступиться?
ITEM
 
Сделать свой продукт, или убить в себе перфекциониста
Сделать свой продукт, или убить в себе перфекционистаСделать свой продукт, или убить в себе перфекциониста
Сделать свой продукт, или убить в себе перфекциониста
ITEM
 

More Related Content

Similar to Automated Vulnerability Assessment and Management

DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
Ciaran McNally
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Matt Tesauro
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
kdinerman
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech Talk
Netsparker
 
App testing and publishing
App testing and publishingApp testing and publishing
App testing and publishing
Niall Roche
 
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarRisk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
QASymphony
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
Security Innovation
 
Thomas Haver - Mobile Testing.pdf
Thomas Haver - Mobile Testing.pdfThomas Haver - Mobile Testing.pdf
Thomas Haver - Mobile Testing.pdf
QA or the Highway
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
Matt Tesauro
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
Chong-Kuan Chen
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
Jason Hong
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
kdinerman
 
Strategies for Mobile Web Application Testing
Strategies for Mobile Web Application TestingStrategies for Mobile Web Application Testing
Strategies for Mobile Web Application Testing
TechWell
 
Quality Spy Overview
Quality Spy OverviewQuality Spy Overview
Quality Spy Overview
AndreasKleffel
 
Visual studio 2015 - Application Insights
Visual studio 2015 - Application InsightsVisual studio 2015 - Application Insights
Visual studio 2015 - Application Insights
Delta-N
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
David Lindner
 

Similar to Automated Vulnerability Assessment and Management (20)

DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya JancaDevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
 
Bug bounties - cén scéal?
Bug bounties - cén scéal?Bug bounties - cén scéal?
Bug bounties - cén scéal?
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech Talk
 
App testing and publishing
App testing and publishingApp testing and publishing
App testing and publishing
 
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony WebinarRisk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
Risk Mitigation Using Exploratory and Technical Testing | QASymphony Webinar
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
Thomas Haver - Mobile Testing.pdf
Thomas Haver - Mobile Testing.pdfThomas Haver - Mobile Testing.pdf
Thomas Haver - Mobile Testing.pdf
 
Building an Open Source AppSec Pipeline
Building an Open Source AppSec PipelineBuilding an Open Source AppSec Pipeline
Building an Open Source AppSec Pipeline
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
 
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
User Interfaces and Algorithms for Fighting Phishing, at Google Tech Talk Jan...
 
Application security in a hurry webinar
Application security in a hurry webinarApplication security in a hurry webinar
Application security in a hurry webinar
 
Web testing
Web testingWeb testing
Web testing
 
Web testing
Web testingWeb testing
Web testing
 
Strategies for Mobile Web Application Testing
Strategies for Mobile Web Application TestingStrategies for Mobile Web Application Testing
Strategies for Mobile Web Application Testing
 
Quality Spy Overview
Quality Spy OverviewQuality Spy Overview
Quality Spy Overview
 
Visual studio 2015 - Application Insights
Visual studio 2015 - Application InsightsVisual studio 2015 - Application Insights
Visual studio 2015 - Application Insights
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 

More from ITEM

Тестирование искусственного интеллекта: с какой стороны подступиться?
Тестирование искусственного интеллекта: с какой стороны подступиться?Тестирование искусственного интеллекта: с какой стороны подступиться?
Тестирование искусственного интеллекта: с какой стороны подступиться?
ITEM
 
Сделать свой продукт, или убить в себе перфекциониста
Сделать свой продукт, или убить в себе перфекционистаСделать свой продукт, или убить в себе перфекциониста
Сделать свой продукт, или убить в себе перфекциониста
ITEM
 
Upwork as a service company incubator
Upwork as a service company incubatorUpwork as a service company incubator
Upwork as a service company incubator
ITEM
 
Как глобальные тренды и инновации повлияют на аутсорсинг в Украине
Как глобальные тренды и инновации повлияют на аутсорсинг в УкраинеКак глобальные тренды и инновации повлияют на аутсорсинг в Украине
Как глобальные тренды и инновации повлияют на аутсорсинг в Украине
ITEM
 
Внедрение локационных сервисов: теория vs практика
Внедрение локационных сервисов: теория vs практика Внедрение локационных сервисов: теория vs практика
Внедрение локационных сервисов: теория vs практика
ITEM
 
Как понять в кого вкладывать деньги?
Как понять в кого вкладывать деньги? Как понять в кого вкладывать деньги?
Как понять в кого вкладывать деньги?
ITEM
 
Как аутсорсинговые компании свои продукты разрабатывали и что из этого вышло.
Как аутсорсинговые компании свои продукты разрабатывали и что из этого вышло.Как аутсорсинговые компании свои продукты разрабатывали и что из этого вышло.
Как аутсорсинговые компании свои продукты разрабатывали и что из этого вышло.
ITEM
 
Внутренние стартапы. Долго, дорого, никогда.
Внутренние стартапы. Долго, дорого, никогда. Внутренние стартапы. Долго, дорого, никогда.
Внутренние стартапы. Долго, дорого, никогда.
ITEM
 
First steps in digitalization and modernization of (huge) non-IT company
First steps in digitalization and modernization of (huge) non-IT companyFirst steps in digitalization and modernization of (huge) non-IT company
First steps in digitalization and modernization of (huge) non-IT company
ITEM
 
Redesign of management methodologies
Redesign of management methodologiesRedesign of management methodologies
Redesign of management methodologies
ITEM
 
Through Trial and Error: How to Prepare a Trainee to the Wild World of Custom...
Through Trial and Error: How to Prepare a Trainee to the Wild World of Custom...Through Trial and Error: How to Prepare a Trainee to the Wild World of Custom...
Through Trial and Error: How to Prepare a Trainee to the Wild World of Custom...
ITEM
 
Тернистый путь к самоорганизации
Тернистый путь к самоорганизацииТернистый путь к самоорганизации
Тернистый путь к самоорганизации
ITEM
 
Lessons learned scrum mastering distributed teams
Lessons learned scrum mastering distributed teamsLessons learned scrum mastering distributed teams
Lessons learned scrum mastering distributed teams
ITEM
 
Превращая риски в продажи
Превращая риски в продажиПревращая риски в продажи
Превращая риски в продажи
ITEM
 
Internet marketing for IT companies
Internet marketing for IT companies Internet marketing for IT companies
Internet marketing for IT companies
ITEM
 
Success of foreign investment attraction by outsource/service companies.
Success of foreign investment attraction by outsource/service companies.Success of foreign investment attraction by outsource/service companies.
Success of foreign investment attraction by outsource/service companies.
ITEM
 
Outsourcing is a dead-end
Outsourcing is a dead-endOutsourcing is a dead-end
Outsourcing is a dead-end
ITEM
 
Communication with clients
Communication with clientsCommunication with clients
Communication with clients
ITEM
 
Harnessing the creative genius within your organization
Harnessing the creative genius within your organizationHarnessing the creative genius within your organization
Harnessing the creative genius within your organization
ITEM
 
Service Blueprinting Workshop
Service Blueprinting WorkshopService Blueprinting Workshop
Service Blueprinting Workshop
ITEM
 

More from ITEM (20)

Тестирование искусственного интеллекта: с какой стороны подступиться?
Тестирование искусственного интеллекта: с какой стороны подступиться?Тестирование искусственного интеллекта: с какой стороны подступиться?
Тестирование искусственного интеллекта: с какой стороны подступиться?
 
Сделать свой продукт, или убить в себе перфекциониста
Сделать свой продукт, или убить в себе перфекционистаСделать свой продукт, или убить в себе перфекциониста
Сделать свой продукт, или убить в себе перфекциониста
 
Upwork as a service company incubator
Upwork as a service company incubatorUpwork as a service company incubator
Upwork as a service company incubator
 
Как глобальные тренды и инновации повлияют на аутсорсинг в Украине
Как глобальные тренды и инновации повлияют на аутсорсинг в УкраинеКак глобальные тренды и инновации повлияют на аутсорсинг в Украине
Как глобальные тренды и инновации повлияют на аутсорсинг в Украине
 
Внедрение локационных сервисов: теория vs практика
Внедрение локационных сервисов: теория vs практика Внедрение локационных сервисов: теория vs практика
Внедрение локационных сервисов: теория vs практика
 
Как понять в кого вкладывать деньги?
Как понять в кого вкладывать деньги? Как понять в кого вкладывать деньги?
Как понять в кого вкладывать деньги?
 
Как аутсорсинговые компании свои продукты разрабатывали и что из этого вышло.
Как аутсорсинговые компании свои продукты разрабатывали и что из этого вышло.Как аутсорсинговые компании свои продукты разрабатывали и что из этого вышло.
Как аутсорсинговые компании свои продукты разрабатывали и что из этого вышло.
 
Внутренние стартапы. Долго, дорого, никогда.
Внутренние стартапы. Долго, дорого, никогда. Внутренние стартапы. Долго, дорого, никогда.
Внутренние стартапы. Долго, дорого, никогда.
 
First steps in digitalization and modernization of (huge) non-IT company
First steps in digitalization and modernization of (huge) non-IT companyFirst steps in digitalization and modernization of (huge) non-IT company
First steps in digitalization and modernization of (huge) non-IT company
 
Redesign of management methodologies
Redesign of management methodologiesRedesign of management methodologies
Redesign of management methodologies
 
Through Trial and Error: How to Prepare a Trainee to the Wild World of Custom...
Through Trial and Error: How to Prepare a Trainee to the Wild World of Custom...Through Trial and Error: How to Prepare a Trainee to the Wild World of Custom...
Through Trial and Error: How to Prepare a Trainee to the Wild World of Custom...
 
Тернистый путь к самоорганизации
Тернистый путь к самоорганизацииТернистый путь к самоорганизации
Тернистый путь к самоорганизации
 
Lessons learned scrum mastering distributed teams
Lessons learned scrum mastering distributed teamsLessons learned scrum mastering distributed teams
Lessons learned scrum mastering distributed teams
 
Превращая риски в продажи
Превращая риски в продажиПревращая риски в продажи
Превращая риски в продажи
 
Internet marketing for IT companies
Internet marketing for IT companies Internet marketing for IT companies
Internet marketing for IT companies
 
Success of foreign investment attraction by outsource/service companies.
Success of foreign investment attraction by outsource/service companies.Success of foreign investment attraction by outsource/service companies.
Success of foreign investment attraction by outsource/service companies.
 
Outsourcing is a dead-end
Outsourcing is a dead-endOutsourcing is a dead-end
Outsourcing is a dead-end
 
Communication with clients
Communication with clientsCommunication with clients
Communication with clients
 
Harnessing the creative genius within your organization
Harnessing the creative genius within your organizationHarnessing the creative genius within your organization
Harnessing the creative genius within your organization
 
Service Blueprinting Workshop
Service Blueprinting WorkshopService Blueprinting Workshop
Service Blueprinting Workshop
 

Recently uploaded

Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 

Recently uploaded (20)

Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 

Automated Vulnerability Assessment and Management

  • 2. whoami! • Bug Hunter on Internet – disclosed vulnerability @Google, @Facebook, @Twitter etc. • I’m Anand Tiwari • Pentester – WebApp, MobApp & Network • Working @ Philips Healthcare on Securing Medical Devices. • 5+ Years of Experience in InfoSec. • I love Automation for repeated work.
  • 3. agenda •What is Vulnerability Assessment & Management. •Archery - Open Source VA/VM Tool. •Challenges in VA/VM. •How Archery works ? •Automated Web Application Dynamic Scanning. •Demo time. •Roadmap •How to Contribute ? •Q/A
  • 6.
  • 7. Challenges in VA/VM • Multiple scanners. • Manage huge list of vulnerabilities. • Analysis and removing false positive. • Prioritising vulnerabilities. • Tracking vulnerability mitigation. • Organizing Periodic scans.
  • 8. Archery - Open Source VA/VM Tool. • Open Source Vulnerability Assessment and Management Tool. • Automate Vulnerability Scanners. • Vulnerability data Dashboard. • Helping you on Managing & Prioritising Vulnerabilities. • Useful for Pentesters & Developers. • Easy to integrate in CI/CD environment. • Build in Python using Django.
  • 9. How Archery works ? Scanners Archery Result Parsing Archery Database ZAP Data Burp Data OpenVAS Data Dashboard
  • 10. Web Application Dynamic Authenticated scanning. Input URL Cookies db ZAP Replacer ZAP Scanner Selenium Webdriver
  • 11. Demo
  • 12. Roadmap • More open source and commercial tool plugin support. • API Scanning and management. • Mobile Vulnerability Management. • Vulnerability PoC pictures. • Cloud security scanning. • Reporting Format.
  • 13. How to Contribute ? • Test Archery Tool • Write scanners plugin or suggest us scanner support. • Use / Promote / write about the tool. • Report issue & feedback @ https://github.com/ archerysec/archerysec/issues
  • 15. Contact • Twitter - https://twitter.com/archerysec • Facebook - https://www.facebook.com/ ArcherySec/ • GitHub - https://github.com/archerysec/