SlideShare a Scribd company logo

Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities

Marc Ruef
Marc Ruef

This document discusses the design and maintenance of a vulnerability database. It outlines important considerations for the design such as what information to include in each entry and prioritizing which details are most important to collect. It also evaluates different sources of vulnerability data like databases, vendor advisories, and vulnerability contributors. Key factors discussed include coverage, speed of updates, visibility of listings, inclusion of technical details and risk ratings.

Data & AnalyticsTechnology
1 of 49
Download to read offline
id entry_timestamp_queue entry_timestamp_create entry_timestamp_change entry_maintainer_queue entry_maintainer_create entry_maintainer_change entry_changelog entry_smss software_type software_vendor software_name software_version software_platform software_component software_file software_library software_function software_argument software_input_type software_input_value software_website software_affectedlist software_advisoryquote software_freetext_de software_freetext_en vulnerability_discoverydate vulnerability_vendorinformdate vulnerability_class vulnerability_impact vulnerability_risk vulnerability_simplicity vulnerability_popularity vulnerability_historic vulnerability_cvss_av vulnerability_cvss_ac vulnerability_cvss_au vulnerability_cvss_ci vulnerability_cvss_ii vulnerability_cvss_ai vulnerability_titleword vulnerability_keywords vulnerability_sourcecode vulnerability_advisoryquote vulnerability_freetext_de vulnerability_freetext_en advisory_date advisory_location advisory_type advisory_url advisory_via advisory_identifier advisory_reportconfidence advisory_coordination advisory_person_name advisory_person_nickname advisory_person_mail advisory_person_website advisory_company_name advisory_confirm_url advisory_confirm_date advisory_disputed advisory_advisoryquote advisory_freetext_de advisory_freetext_en exploit_availability exploit_date exploit_publicity exploit_url exploit_developer_name exploit_developer_nickname exploit_developer_mail exploit_developer_website exploit_language exploit_exploitability exploit_reliability exploit_wormified exploit_googlehack exploit_advisoryquote exploit_sourcecode exploit_freetext_de exploit_freetext_en countermeasure_remediationlev countermeasure_name countermeasure_date countermeasure_reliability countermeasure_upgrade_vers countermeasure_upgrade_url countermeasure_patch_name Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities Marc Ruef www.scip.ch area41 Security Conference June 2014, Zürich, Switzerland
Agenda | Vulnerability Database Maintenance 1. Intro Introduction 2 min Who am I? 2 min What is the Goal? 2 min 2. Vulnerability Database Maintenance Design the Database 5 min Handling of Sources 4 min Interpretation of Data 4 min Correlation of Data 4 min Quality Management 5 min Extrapolation of Data 5 min Deliver your Results 5 min Statistical Analysis 5 min Provide Accessibility 5 min Use Connectivity 5 min 3. Outro Summary 2 min Questions 5 min area41 2014 2/34
Introduction | Who Am I? Name Marc Ruef Job Co-Owner / CTO, scip AG, Zürich Private Website http://www.computec.ch Last own Book „The Art of Penetration Testing“, Computer & Literatur Böblingen, ISBN 3-936546-49-5 Translation area41 2014 3/34 2013 2007 20022004
Introduction | What Is a Vulnerability Database? ◦ What? ◦ A database collecting vulnerabilities ◦ Why? ◦ To do vulnerability management ◦ What is vulnerable? ◦ What is to patch? ◦ To do statistical analysis ◦ Costs of patch management ◦ Robustness of products area41 2014 4
Introduction | scip VulDB Looks like This (Overview) area41 2014 5
Introduction | scip VulDB Looks like This (Detail) area41 2014 6
Design | What Should Your Vulnerability Database Do? ◦ How much? ◦ Full coverage ◦ Selective collection ◦ Inventory-only ◦ Vendor-selection ◦ Importance threshold ◦ Fixed only ◦ For whom? ◦ Everyone ◦ Public service ◦ Advertisement ◦ Customers ◦ Vulnerability management service ◦ Alerting service ◦ Tools ◦ Internal Use ◦ Knowledge-base ◦ For pentesters ◦ For administrators area41 2014 7
Design | What Is an Entry? ◦ A VDB entry consists of different elements. Minimal elements usually are: ◦ ID 12413 ◦ Title Linux Low-Address Protection Denial of Service ◦ Disclosure Date 02/21/2014 ◦ Description A vulnerability, classified as (…) ◦ Risk Rating problematic ◦ References CVE-2014-2039, BID 65700, … area41 2014 8
Design | Details Are Cool… ◦ Entry ◦ Software ◦ … ◦ Vulnerability ◦ … ◦ Advisory ◦ … ◦ Exploit ◦ Availability → yes|no ◦ Publicity → public|private ◦ Disclosure Date → yyyyMMdd ◦ Developer → $name ◦ Language → Ruby|Python|C|… ◦ Reliability → low|medium|high ◦ … ◦ Countermeasure ◦ … ◦ Sources ◦ … ◦ Tools ◦ … ◦ Misc ◦ … area41 2014 9
Design | But Details Take Time! ◦ We have compiled more than 13’400 entries since 2003 ◦ A scip VulDB entry consists of ~150 possible data points ◦ We rate data points to prioritize: ◦ Important = 33 (must be processed if available) ◦ Normal = 32 (shall be processed) ◦ Optional = 85 (can be processed, if you have «too much time») ◦ Statistical analysis of defined data points over all entries: ◦ Average = 49.92 ◦ Min = 26 ◦ Max = 90 ◦ We currently add ~15 new entries per day (work-days only) area41 2014 10
Sources | Possible Sources ◦ Vulnerability databases ◦ Vulnerability contributors (iDefense VCP, HP ZDI) ◦ Infosec mailinglists ◦ Vendor mailinglists ◦ Vendor advisories ◦ Code repositories ◦ News ◦ Blogs ◦ Social networks (e.g. Twitter, G+, LinkedIn) ◦ Friends, colleagues, co-workers, … area41 2014 11
Sources | Vulnerability Databases: Advantages and Disadvantages VDB  Pros Cons IBM X-Force http://xforce.iss.net • Good coverage • CVSSv2 base scores • CVSSv2 temporal scores • CVE support • Sometimes a bit slow (2-3 updates per week) • «Arbitrary» listing (default view: 5 entries, no backlog) • No RSS feed OSVDB http://www.osvdb.org • Very quick (daily updates) • Best coverage (everything!) • CVSSv2 base scores (via MITRE) • CVE support • No listing (since Feb 2014) • No own risk rating (CVSSv2 only) • No RSS feed (since 2012) Secunia http://secunia.com/community /advisories/historic/ • Good coverage • Good listing (default view: 25 entries) • CVE support • Login required (since Apr 2014) • Some details for paying customers only • Combining multiple vulnerabilities in one entry (by release/patch) • They don’t like other projects (they forbade to use their listing for vulscan.nse in 2013) • No RSS feed • No CVSSv2 scores SecurityFocus http://www.securityfocus.com/ bid • Good coverage • CVE support • Listing also shows updated entries (default view: 31 entries) • Site is slow • Data for an entry is spread over 5 sub- pages • No CVSSv2 scores SecurityTracker http://securitytracker.com • Sometimes quite quick • Simple listing (default view: 5 entries) • CVE support • Selective coverage (popular products only) • No CVSSv2 scores
Sources | Evaluation Rating Introduction ◦ Criteria are those we think are important ◦ We have addressed them as far as possible in our project (because of this prioritization) ◦ Rating is as fair as possible ◦ You might rate a bit differently Description Rating Feature is supported: always/fully 3 Feature is supported: often/partially 2 Feature is supported: sometimes/somehow 1 Feature is never/not supported 0
Sources | Vulnerability Databases: Rating VDB  Coverage (howmuch) Quickness (howfast) Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE Feeds (howaccessible) Total CERT VU http://www.kb.cert.org/vuls/ 1 3 3 2 2 3 0 3 3 3 3 26 Exploit-DB http://www.exploit-db.com 1 3 3 3 2 2 0 0 0 3 3 20 IBM X-Force http://xforce.iss.net 3 1 1 1 2 2 0 3 3 3 0 19 NIST NVD http://nvd.nist.gov 2 1 3 3 2 2 0 3 0 3 3 22 MITRE CVE http://cve.mitre.org 2 1 3 2 2 2 0 0 0 3 2 17 OSVDB http://www.osvdb.org 3 3 0 2 2 2 0 2 0 3 0 17 Secunia http://secunia.com/community/advisories/historic/ 3 2 3 3 2 2 3 0 0 3 0 21 SecurityFocus http://www.securityfocus.com/bid 3 2 2 2 1 2 0 0 0 3 0 15 SecurityTracker http://securitytracker.com 1 2 3 2 3 2 0 0 0 3 0 16 scip VulDB (rating ourselves comes with bias) http://www.scip.ch/en/?vuldb 2 2 3 2 3 3 3 3 3 3 3 30  2.1 2.0 2.4 2.2 2.1 2.2 0.6 1.4 0.9 3.0 1.4
Sources | Vulnerability Databases: Conclusion ◦ Being quick is not easy ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ CVE has been established as the de facto standard (nice!) ◦ You can’t compare CERT VU, Exploit-DB, NIST NVD and MITRE CVE with anything else ◦ Exploit-DB inherits abstraction from researchers and is not self- consistent ◦ Secunia and SecurityFocus are very similar in many aspects ◦ X-Force and SecurityTracker remain pretty unpopular ◦ The «O» in OSVDB does not stand for «open» anymore ◦ Some features have been broken for ages (e.g. search on OSVDB and X-Force) ◦ Not everyone is a big fan of feeds area41 2014 15
Sources | Vendor Advisories: Advantages and Disadvantages Vendor  Pros Cons Adobe http://helpx.adobe.com/security. html • Product-related listing • Some technical details • Priority rating • CVE support • Advisory per release/upgrade • No RSS feed Apple • Simple technical details • CVE support • No risk rating • No CVSSv2 scores • No listing • Advisory per release/upgrade • No RSS feed Cisco https://tools.cisco.com/security/c enter/publicationListing.x • Advisory listing • Advisory per vulnerability • Sometimes additional technical details • CVSSv2 base scores • CVE support • Technical details with login only • Some details for customers only • No RSS feed Google • CVE support • No listing • Advisory per release/upgrade • Technical details with auth only • No risk rating • No CVSSv2 scores • No RSS feed Microsoft http://technet.microsoft.com/sec urity/advisory • Some technical details • Listing (default view: 5 entries) • RSS feed • Patch day collection (2nd Tuesday of each month) • Severity rating • No CVSSv2 scores Oracle http://www.oracle.com/technetwo rk/topics/security/alerts- 086861.html • Simple listing • CVSSv2 base scores • CVE support • Patch day collection (quarterly) • No technical details • No RSS feed
Sources | Vendor Advisories: Rating Vendor VulnID (howunique) Frequency (howfast) Listing (howvisible) TechDetails (howdetailed) Risk (howmeasured) CVSS Base CVSS Temporal CVE RSS Total FortiGuard http://www.fortiguard.com/advisory/ 3 3 3 3 3 0 0 3 3 21 Symantec http://www.symantec.com/security_response/securityupdates/list.jsp 3 3 3 3 0 3 0 3 3 21 Microsoft http://technet.microsoft.com/security/advisory 3 2 3 3 3 0 0 3 3 20 Checkpoint https://www.checkpoint.com/defense/advisories/public/summary.html 3 2 3 2 3 0 0 3 3 19 Cisco https://tools.cisco.com/security/center/publicationListing.x (details auth only) 3 3 3 3 0 3 0 3 0 18 Oracle http://www.oracle.com/technetwork/topics/security/alerts-086861.html 1 1 3 1 3 3 0 3 3 18 Adobe http://helpx.adobe.com/security.html 3 3 3 2 2 0 0 3 0 16 HP https://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive 3 3 3 1 0 3 0 3 0 16 SAP https://service.sap.com/sap/support/notes/ (auth only) 3 3 3 2 3 2 0 0 0 16 D-Link http://securityadvisories.dlink.com/security/ 3 3 2 2 0 0 0 2 0 12 Google http://www.google.com (details auth only) 3 3 1 2 0 0 0 3 0 12 Apple http://www.apple.com 1 2 1 1 0 0 0 3 0 8  2.66 2.58 2.58 2.08 1.41 1.16 0.0 2.66 1.25
Sources | Vendor Advisories: Conclusion ◦ Some vendors have really ugly advisory URLs ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ Own risk ratings are also unpopular, because they are hard ◦ Nearly everybody likes CVE ◦ Microsoft and Oracle handle things better than it felt ◦ Juniper has a field «Last Updated» but no «Disclosure Date» ◦ SAP is very restrictive with information for non-customers, which introduces a severe disadvantage (VDB’s can’t categorize them, which decreases visibility) ◦ Vendors aren’t big fans of RSS feeds either area41 2014 18
Sources | Vuln Contributors: Advantages and Disadvantages Project  Pros Cons iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber- security/index.xhtml • Started in 2003 • Incomplete listing • No announcement of upcoming advisories • No CVSSv2 support • No search capabilities • No RSS feed • All old links are broken since Zero Day Initiative http://www.zerodayinitiative.com • Provide announcement for upcoming advisories • Provide CVSSv2 Base Scores • RSS feeds available • No search capabilities
Sources | Vuln Contributors: Rating Project  Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE RSS Total iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber-security/index.xhtml 3 0 3 2 0 0 0 3 0 11 Zero Day Initiative http://www.zerodayinitiative.com 3 0 3 2 0 3 0 3 3 17  3.0 0.0 3.0 2.0 0.0 1.5 0.0 3.0 1.5
Sources | Vuln Contributors: Conclusion ◦ Only 2 major players ◦ They are quite similar in most aspects ◦ Zero Day Initiative has 2 advantages of CVSSv2 and RSS support ◦ More competition might increase quality area41 2014 21
Interpretation | How to Analyze ◦ The basic approach of processing a source is simple: 1. Check source for new entries 2. Review source entry 3. Add necessary data to database 1. If entry is available → Update existing entry 2. If entry is not available → Create new entry 3. If source is false-positive → Ignore entry and flag for future reference 4. Goto 1 area41 2014 22
Interpretation | MITRE CVE as an Example cve description advisory cert vu software
Interpretation | MITRE CVE as an Example: What Is missing? ◦ What’s missing on a MITRE CVE entry? ◦ Disclosure date ◦ Exact naming of vulnerability class ◦ Risk rating ◦ Person responsible for disclosure ◦ Detailed mitigation/countermeasure ◦ … area41 2014 24
Interpretation | OSVDB as an Example cve sectracker product version description date exploit news
Interpretation | Contradicting Conventions (Disclosure Date) 02/19/2014 02/26/2014
Interpretation | Contradicting Conventions (Disclosure Date) CVE-2014-2284 net-snmp 5.7.1 on Linux ICMP-MIB Denial of Service 02/19/2014 02/20/2014 02/21/2014 02/22/2014 02/23/2014 02/24/2014 02/25/2014 02/26/2014 02/27/2014 ... 03/24/2014 SourceForge ReleaseNote SecFocus SecTracker VulDB OSVDB Secunia RedHat Our definition of a (public) disclosure date: The earliest known date to disclose an issue to the public in an unrestricted way. (we’re going to adopt a more differentiated approach in the near future) 03/05/2014oss-security ...CVE
Interpretation | Put the Different Pieces Together VDB  Product Version VulnClass Disclosure Date Advisory URL Attack Context Exploit Solution VulnDB Sources Misc. Links Total CERT VU http://www.kb.cert.org/vuls/ 3 2 3 2 3 3 1 3 0 1 21 Exploit-DB http://www.exploit-db.com 3 2 2 2 2 1 3 1 1 0 17 IBM X-Force http://xforce.iss.net 3 2 2 3 2 3 1 2 2 2 22 NIST NVD http://nvd.nist.gov 2 2 3 0 3 1 1 1 3 3 19 MITRE CVE http://cve.mitre.org 2 2 2 0 3 1 1 1 3 3 18 OSVDB http://www.osvdb.org 3 3 3 3 3 3 3 3 3 3 30 Secunia http://secunia.com/community/advisories/historic/ 2 2 2 2 3 1 1 2 0 0 15 SecurityFocus http://www.securityfocus.com/bid 3 3 3 3 2 1 2 2 0 1 20 SecurityTracker http://securitytracker.com 3 3 3 1 2 3 1 3 0 1 20 scip VulDB http://www.scip.ch/en/?vuldb 3 3 3 3 3 3 3 3 3 3 30  2.7 2.4 2.6 1.9 2.6 2.0 1.7 2.1 1.5 1.7
Sources | Vulnerability Databases: Conclusion ◦ OSVDB provides the best collection of data ◦ Secunia provides the worst collection of data ◦ SecurityFocus and Secunia usually don’t provide context ◦ X-Force, SecurityTracker and Secunia don’t provide exploit details ◦ SecurityTracker and Secunia have confusing disclosure dates ◦ SecurityFocus, SecurityTracker and Secunia don’t link to other VDB area41 2014 29
Correlation | That's Why You Have to Correlate ◦ Approach ◦ Merge different sources ◦ Compare similar data points ◦ Identify and verify contradictions ◦ Dangers ◦ Duplicates: Come up with annoying inconsistency ◦ Merges: Come up with dangerous mashups area41 2014 30
Correlation | Now Things Are Getting Tricky ◦ Sometimes vulnerabilities can’t be identified individually ◦ CVE helps a lot! But not every vulnerability (immediately) has a CVE number ◦ Some sources merge vulnerabilities into one entry ◦ Vendors do this within their patch release notes or patch days ◦ Secunia tends to compile different vulnerabilities of the same day or patch generation into one entry (e.g. 58519). SecurityFocus does it sometimes (e.g. 67553) and so does SecurityTracker in some cases (e.g. 1030269). ◦ Vulnerabilities with very few technical details often can’t be distinguished from similar vulnerabilities (e.g. Apple HT6145: no info available, but CVE assigned) area41 2014 31
Correlation | Keep Track, Detect Collisions ◦ Keep track of your sources and the entries already reviewed ◦ Verify that every new entry is really new and not just a duplicate or a minor fork of an existing entry. This is a very underestimated task! ◦ We do that with collision detection ◦ Compare new values with existing values of other entries (e.g. URLs, IDs, references). If there is a specified level of matches, we have to check for a duplicate. ◦ Our reference maps help to distinguish. Projects like vFeed support this very good. [https://github.com/toolswatch/vFeed/] area41 2014 32
Correlation | To Split or Not to Split Parameter → 5 entries File → 4 entries Component → 3 entries Vuln Class → 2 entries Advisory/Patch → 1 entry Advisory #VA42 Cross Site Scripting User Auth login.php login_user login_pass News Portal news.php news_id archive.php news_year SQL Injection Board forum.php post_id area41 2014 33
Correlation | Split Example (MS Patch Day, IE Vuls, Feb 2014) VulDB (vuln split) SecFocus* (vuln split) CVE (vuln split) Secunia (combined) Microsoft (combined) MS14-010 SA56796 CVE- 2014-0267 BID 65361 SID 12242 CVE- 2014-0268 BID 65392 SID 12239 … … … CVE- 2014-0293 BID 65394 SID 12241 area41 2014 34 * SecurityFocus often combines (e.g. BID 67553)
Correlation | Unwanted Split (cPanel, Dec 2013) ◦ TSR 2013-0011, http://cpanel.net/tsr-2013-0011-full-disclosure/ ◦ 12/18/2013 cPanel WHM Reseller Login Handler Cookie information disclosure ◦ 12/18/2013 cPanel WHM Login Security Handler Token information disclosure ◦ 12/18/2013 cPanel WHM Branding Subsystem privilege escalation ◦ 12/18/2013 cPanel WHM usr/local/cpanel/share/counter privilege escalation ◦ 12/18/2013 cPanel WHM Daily Process Log Screen Stored cross site scripting ◦ 12/18/2013 cPanel WHM cPAddons Upgrade Handler Password information disclosure ◦ 12/18/2013 cPanel WHM Edit DNS Zone Interface information disclosure ◦ 12/18/2013 cPanel WHM SSH Authentication Handler privilege escalation ◦ 12/18/2013 cPanel WHM X3 Theme countedit.cgi Directory Traversal ◦ 12/18/2013 cPanel WHM Bandmin passwd privilege escalation ◦ 12/18/2013 cPanel WHM cpsrvd Bypass privilege escalation ◦ 12/18/2013 cPanel WHM Bandmin Reflected cross site scripting ◦ 12/18/2013 cPanel WHM API Call Handler UI::dynamicincludelist Directory Traversal ◦ 12/18/2013 cPanel WHM Database Handler privilege escalation ◦ 12/18/2013 cPanel WHM Backup Archive Handler privilege escalation ◦ 12/18/2013 cPanel WHM Config Handler Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM Translatable Phrase Handler Locale::Maketext privilege escalation ◦ 12/18/2013 cPanel WHM CSRF Protection Bypass Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM cross site scripting ◦ 12/18/2013 cPanel WHM Logaholic Session File Handler /tmp privilege escalation ◦ 12/18/2013 cPanel WHM Virtualhost Installation Handler privilege escalation area41 2014 35
Correlation | Split Pros and Cons ◦ Advisory / Patch ◦ Few entries ◦ Good for overview ◦ Good for patch management ◦ Vulnerability ◦ Some entries ◦ Possible splits for 3rd party components ◦ Element ◦ A lot of entries ◦ Good for statistical analysis area41 2014 36
Quality | How to Provide the Best? ◦ Try to verify statements from researchers, vendors and vulnerability database maintainers ◦ Check for plausibility ◦ Verify from other sources ◦ Re-test within a lab ◦ Eliminate wrong statements ◦ Delete false entries ◦ Preserve false entries (prefered by CVE, SecurityFocus) ◦ Add further explanations ◦ Flag (prefered by OSVDB, scip VulDB) ◦ advisory_disputed=1 (e.g. scipID 13305, 13000, 12643) ◦ advisory_reportconfidence=UR (CVSSv2 temp score metric) ◦ Try to find and compile additional details area41 2014 37
Extrapolation | Versions of Affected Software ◦ Exact Version ◦ Internet Explorer 10 → X-Force, OSVDB, SecFocus, Secunia, VulDB ◦ Wildcards ◦ Internet Explorer 6.x → Secunia, SecFocus, SecTracker, VulDB ◦ Ranges ◦ Internet Explorer 8 – 10 → Secunia, CVE ◦ Internet Explorer prior 10 → SecurityTracker, Secunia ◦ Internet Explorer before 10 → CVE ◦ Internet Explorer up to 10 → VulDB ◦ Internet Explorer 8 and later → SecurityTracker area41 2014 3810 119876 10 up to 10 8 to 10 Internet Explorer Versions before 10 …
Extrapolation | What about The Unknown? ◦ Try to guess. Examples: ◦ «IE prior 9» → 6 – 9 ◦ «IE prior 11» → 7 – 10 ◦ Research and validate yourself ◦ A lot of work ◦ We combine with other projects (research or pentest) ◦ We enforce very important or interesting vulnerabilities ◦ Be quiet area41 2014 39
Delivery | Chose your Channels ◦ Web Site ◦ Mail ◦ RSS ◦ Widgets ◦ Facebook ◦ Twitter ◦ LinkedIn ◦ App ◦ … area41 2014 40
Statistics | Comparing Apples and Oranges ◦ Doing some statistics is easy. Doing it the right way is hard. Some say it is even impossible. [http://blog.osvdb.org/category/vulnerability-statistics/] ◦ Counting vulnerabilities doesn’t say anything: ◦ Weak code leads to a lot of vulnerabilities ◦ Complexity leads to a lot of vulnerabilities ◦ Popularity leads to a lot of vulnerabilities ◦ Bug bounty programs lead to a lot of vulnerabilities ◦ Open disclosure process leads to a lot of vulnerabilities ◦ We still provide statistical raw data and expect the viewers to think about it area41 2014 41
Statistics | Timelines Are Interesting ◦ Our timelines consist of multiple data points ◦ vulnerability_introduction_date ◦ vulnerability_discovery_date ◦ vulnerability_vendorinform_date ◦ advisory_date ◦ advisory_confirm_date ◦ exploit_date ◦ countermeasure_date ◦ source_cve_assigned ◦ source_secunia_date ◦ source_nessus_date ◦ entry_timestamp_create ◦ entry_timestamp_update Example Heartbleed [CVE-2014-0160] area41 2014 42
Statistics | Timelines Trivia (excerpt from 2014) ◦ [CVE-2014-0160] OpenSSL TLS/DTLS Heartbeat information disclosure got introduced in 01/01/2012 and fixed in 04/07/2014 ◦ existed 827 days ◦ [CVE-2014-0179] libvirt XML Entity Expansion Handler denial of service got introduced in 12/23/2009 and fixed in 05/06/2014 ◦ existed 1.595 days ◦ [CVE-2014-3122] Linux Kernel try_to_unmap_cluster() denial of service got introduced in 10/19/2008 and fixed in 04/10/2014 ◦ existed 1.996 days ◦ [CVE-2014-3460] Novell NetIQ Sentinel Agent Manager directory traversal vendor got informed in 09/04/2013 but did not respond until 05/19/2014 ◦ Novell ignored grace period of 257 days area41 2014 43
Accessibility | Choose Additional Representation ◦ To allow users to work with your data, it might be the best way to provide additional forms of representation: ◦ SQL ◦ XML ◦ JSON ◦ CSV ◦ CVRF [http://www.icasi.org/cvrf] area41 2014 44
Connectivity | Use Data for Vuln Scanning ◦ We are able to construct specific requests with our fields software_argument and software_input_value to create test cases and exploits (very simple for web-based vulns) ◦ Because of the fields software_* we are able to provide CPE lists [http://cpe.mitre.org/], which can be matched with tools like Nmap. Random examples: ◦ ID 12313 → cpe:/a:sap:netweaver:7.30 ◦ ID 12802 → cpe:/o:cisco:ios:15.4(1.1)t ◦ ID 13306 → cpe:/a:microsoft:internet_explorer:8 area41 2014 45
Outro | Summary ◦ Vulnerability databases help to manage vulnerabilities ◦ Different sources allow to collect a broad amount of issues ◦ Every source has some advantages and disadvantages ◦ Compiling and maintaining vulnerabilities takes a lot of effort ◦ Making your data accessible helps others area41 2014 46
Outro | Thank You ◦ I‘d like to thank a bunch of people which helped to discuss the many interesting aspects of vulnerability database management: ◦ Stefan Friedli, scip AG ◦ Steven M. Christey, MITRE area41 2014 47
Outro | Questions area41 2014 48
Security Is Our Business! scip AG Jakob-Fügli-Strasse 18 CH-8048 Zürich Tel +41 44 404 13 13 Fax +41 44 404 13 14 Mail info@scip.ch Web http://www.scip.ch Twitter http://twitter.com/scipag  Strategy | Consulting  Auditing | Testing  Forensics | Analysis area41 2014 49

Recommended

Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration TestersChristian Martorella
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Nguyen phuong truong anh a story of bug bounty hunter
Nguyen phuong truong anh a story of bug bounty hunterNguyen phuong truong anh a story of bug bounty hunter
Nguyen phuong truong anh a story of bug bounty hunterSecurity Bootcamp
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionPaul Ionescu
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 

Recommended

Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...
Unsafe Deserialization Attacks In Java and A New Approach To Protect The JVM ...Apostolos Giannakidis
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Wfuzz for Penetration Testers
Wfuzz for Penetration TestersWfuzz for Penetration Testers
Wfuzz for Penetration TestersChristian Martorella
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
Nguyen phuong truong anh a story of bug bounty hunter
Nguyen phuong truong anh a story of bug bounty hunterNguyen phuong truong anh a story of bug bounty hunter
Nguyen phuong truong anh a story of bug bounty hunterSecurity Bootcamp
 
Owasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionOwasp Top 10 - A1 Injection
Owasp Top 10 - A1 InjectionPaul Ionescu
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
JavaScript security and tools evolution at 2017 OWASP Taiwan WeekJavaScript security and tools evolution at 2017 OWASP Taiwan Week
JavaScript security and tools evolution at 2017 OWASP Taiwan Weekdcervigni
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesTiago Mendo
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
Code Plagiarism - Technical Detection and Legal Prosecution
Code Plagiarism - Technical Detection and Legal ProsecutionCode Plagiarism - Technical Detection and Legal Prosecution
Code Plagiarism - Technical Detection and Legal ProsecutionMarc Ruef
 
Lavarone neve 2012
Lavarone neve 2012Lavarone neve 2012
Lavarone neve 2012sealandservice
 

More Related Content

What's hot

All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedDinis Cruz
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesSteve Poole
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding PracticesOWASPKerala
 
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
JavaScript security and tools evolution at 2017 OWASP Taiwan WeekJavaScript security and tools evolution at 2017 OWASP Taiwan Week
JavaScript security and tools evolution at 2017 OWASP Taiwan Weekdcervigni
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingNetSPI
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Christian Schneider
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliveryBlack Duck by Synopsys
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesTiago Mendo
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 

What's hot (20)

All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Asec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwnedAsec r01-resting-on-your-laurels-will-get-you-pwned
Asec r01-resting-on-your-laurels-will-get-you-pwned
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Geecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java VulnerabilitiesGeecon 2017 Anatomy of Java Vulnerabilities
Geecon 2017 Anatomy of Java Vulnerabilities
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Java Secure Coding Practices
Java Secure Coding PracticesJava Secure Coding Practices
Java Secure Coding Practices
 
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
JavaScript security and tools evolution at 2017 OWASP Taiwan WeekJavaScript security and tools evolution at 2017 OWASP Taiwan Week
JavaScript security and tools evolution at 2017 OWASP Taiwan Week
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
Security DevOps - Staying secure in agile projects // OWASP AppSecEU 2015 - A...
 
Secure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous DeliverySecure Application Development in the Age of Continuous Delivery
Secure Application Development in the Age of Continuous Delivery
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Advanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & DefensesAdvanced SQL Injection Attack & Defenses
Advanced SQL Injection Attack & Defenses
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 

Viewers also liked

Code Plagiarism - Technical Detection and Legal Prosecution
Code Plagiarism - Technical Detection and Legal ProsecutionCode Plagiarism - Technical Detection and Legal Prosecution
Code Plagiarism - Technical Detection and Legal ProsecutionMarc Ruef
 
Step by step kulan
Step by step kulanStep by step kulan
Step by step kulankahadugoda
 
Scala for Java Developers
Scala for Java DevelopersScala for Java Developers
Scala for Java DevelopersRamnivasLaddad
 
Personal Branding for Workplace Leaders
Personal Branding for Workplace LeadersPersonal Branding for Workplace Leaders
Personal Branding for Workplace LeadersJocelyn Aucoin
 
Firewall Rule Review and Modelling
Firewall Rule Review and ModellingFirewall Rule Review and Modelling
Firewall Rule Review and ModellingMarc Ruef
 

Viewers also liked (6)

Code Plagiarism - Technical Detection and Legal Prosecution
Code Plagiarism - Technical Detection and Legal ProsecutionCode Plagiarism - Technical Detection and Legal Prosecution
Code Plagiarism - Technical Detection and Legal Prosecution
 
Lavarone neve 2012
Lavarone neve 2012Lavarone neve 2012
Lavarone neve 2012
 
Step by step kulan
Step by step kulanStep by step kulan
Step by step kulan
 
Scala for Java Developers
Scala for Java DevelopersScala for Java Developers
Scala for Java Developers
 
Personal Branding for Workplace Leaders
Personal Branding for Workplace LeadersPersonal Branding for Workplace Leaders
Personal Branding for Workplace Leaders
 
Firewall Rule Review and Modelling
Firewall Rule Review and ModellingFirewall Rule Review and Modelling
Firewall Rule Review and Modelling
 

Similar to Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities

ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewSecurity Bootcamp
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdfVishwas N
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm HereChristopher Grayson
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinMatt Tesauro
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an IntroductionPrashanth B. P.
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSADenim Group
 
Open Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveOpen Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveMatthew Wilkes
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityAnne Oikarinen
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Toolscentralohioissa
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itSecurity BSides London
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual TestingDenim Group
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-mspMike Saunders
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavAbhay Bhargav
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsHdiv Security
 

Similar to Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities (20)

ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s viewNguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
Started In Security Now I'm Here
Started In Security Now I'm HereStarted In Security Now I'm Here
Started In Security Now I'm Here
 
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austinDev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
 
DevSecOps : an Introduction
DevSecOps : an IntroductionDevSecOps : an Introduction
DevSecOps : an Introduction
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Open Source Security – A vendor's perspective
Open Source Security – A vendor's perspectiveOpen Source Security – A vendor's perspective
Open Source Security – A vendor's perspective
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
What Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software SecurityWhat Every Developer And Tester Should Know About Software Security
What Every Developer And Tester Should Know About Software Security
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Agnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know itAgnitio: its static analysis, but not as we know it
Agnitio: its static analysis, but not as we know it
 
Blending Automated and Manual Testing
Blending Automated and Manual TestingBlending Automated and Manual Testing
Blending Automated and Manual Testing
 
Problems with parameters b sides-msp
Problems with parameters b sides-mspProblems with parameters b sides-msp
Problems with parameters b sides-msp
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay BhargavOWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
OWASP AppSec EU - SecDevOps, a view from the trenches - Abhay Bhargav
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile World
 
Making DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring ApplicationsMaking DevSecOps a Reality in your Spring Applications
Making DevSecOps a Reality in your Spring Applications
 

Recently uploaded

Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...limedy534
 
DBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfDBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfJohn Sterrett
 
Call Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceCall Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceSapana Sha
 
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanIdentifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanMYRABACSAFRA2
 
Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Seán Kennedy
 
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort servicejennyeacort
 
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...ssuserf63bd7
 
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一F sss
 
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理e4aez8ss
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfgstagge
 
Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Seán Kennedy
 
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改yuu sss
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...Boston Institute of Analytics
 
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDINTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDRafezzaman
 
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝DelhiRS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhijennyeacort
 
How we prevented account sharing with MFA
How we prevented account sharing with MFAHow we prevented account sharing with MFA
How we prevented account sharing with MFAAndrei Kaleshka
 
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSINGmarianagonzalez07
 
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档208367051
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.natarajan8993
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...dajasot375
 

Recently uploaded (20)

Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
Effects of Smartphone Addiction on the Academic Performances of Grades 9 to 1...
 
DBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdfDBA Basics: Getting Started with Performance Tuning.pdf
DBA Basics: Getting Started with Performance Tuning.pdf
 
Call Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts ServiceCall Girls In Dwarka 9654467111 Escorts Service
Call Girls In Dwarka 9654467111 Escorts Service
 
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population MeanIdentifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population Mean
 
Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...
 
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
 
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...
Statistics, Data Analysis, and Decision Modeling, 5th edition by James R. Eva...
 
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
办理学位证中佛罗里达大学毕业证,UCF成绩单原版一比一
 
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
 
RadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdfRadioAdProWritingCinderellabyButleri.pdf
RadioAdProWritingCinderellabyButleri.pdf
 
Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...Student profile product demonstration on grades, ability, well-being and mind...
Student profile product demonstration on grades, ability, well-being and mind...
 
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
专业一比一美国俄亥俄大学毕业证成绩单pdf电子版制作修改
 
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
 
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTDINTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
 
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝DelhiRS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
RS 9000 Call In girls Dwarka Mor (DELHI)⇛9711147426🔝Delhi
 
How we prevented account sharing with MFA
How we prevented account sharing with MFAHow we prevented account sharing with MFA
How we prevented account sharing with MFA
 
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
2006_GasProcessing_HB (1).pdf HYDROCARBON PROCESSING
 
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档
原版1:1定制南十字星大学毕业证(SCU毕业证)#文凭成绩单#真实留信学历认证永久存档
 
RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.RABBIT: A CLI tool for identifying bots based on their GitHub events.
RABBIT: A CLI tool for identifying bots based on their GitHub events.
 
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
Indian Call Girls in Abu Dhabi O5286O24O8 Call Girls in Abu Dhabi By Independ...
 

Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities

  • 1. id entry_timestamp_queue entry_timestamp_create entry_timestamp_change entry_maintainer_queue entry_maintainer_create entry_maintainer_change entry_changelog entry_smss software_type software_vendor software_name software_version software_platform software_component software_file software_library software_function software_argument software_input_type software_input_value software_website software_affectedlist software_advisoryquote software_freetext_de software_freetext_en vulnerability_discoverydate vulnerability_vendorinformdate vulnerability_class vulnerability_impact vulnerability_risk vulnerability_simplicity vulnerability_popularity vulnerability_historic vulnerability_cvss_av vulnerability_cvss_ac vulnerability_cvss_au vulnerability_cvss_ci vulnerability_cvss_ii vulnerability_cvss_ai vulnerability_titleword vulnerability_keywords vulnerability_sourcecode vulnerability_advisoryquote vulnerability_freetext_de vulnerability_freetext_en advisory_date advisory_location advisory_type advisory_url advisory_via advisory_identifier advisory_reportconfidence advisory_coordination advisory_person_name advisory_person_nickname advisory_person_mail advisory_person_website advisory_company_name advisory_confirm_url advisory_confirm_date advisory_disputed advisory_advisoryquote advisory_freetext_de advisory_freetext_en exploit_availability exploit_date exploit_publicity exploit_url exploit_developer_name exploit_developer_nickname exploit_developer_mail exploit_developer_website exploit_language exploit_exploitability exploit_reliability exploit_wormified exploit_googlehack exploit_advisoryquote exploit_sourcecode exploit_freetext_de exploit_freetext_en countermeasure_remediationlev countermeasure_name countermeasure_date countermeasure_reliability countermeasure_upgrade_vers countermeasure_upgrade_url countermeasure_patch_name Adventures in a Decade of Tracking and Consolidating Security Vulnerabilities Marc Ruef www.scip.ch area41 Security Conference June 2014, Zürich, Switzerland
  • 2. Agenda | Vulnerability Database Maintenance 1. Intro Introduction 2 min Who am I? 2 min What is the Goal? 2 min 2. Vulnerability Database Maintenance Design the Database 5 min Handling of Sources 4 min Interpretation of Data 4 min Correlation of Data 4 min Quality Management 5 min Extrapolation of Data 5 min Deliver your Results 5 min Statistical Analysis 5 min Provide Accessibility 5 min Use Connectivity 5 min 3. Outro Summary 2 min Questions 5 min area41 2014 2/34
  • 3. Introduction | Who Am I? Name Marc Ruef Job Co-Owner / CTO, scip AG, Zürich Private Website http://www.computec.ch Last own Book „The Art of Penetration Testing“, Computer & Literatur Böblingen, ISBN 3-936546-49-5 Translation area41 2014 3/34 2013 2007 20022004
  • 4. Introduction | What Is a Vulnerability Database? ◦ What? ◦ A database collecting vulnerabilities ◦ Why? ◦ To do vulnerability management ◦ What is vulnerable? ◦ What is to patch? ◦ To do statistical analysis ◦ Costs of patch management ◦ Robustness of products area41 2014 4
  • 5. Introduction | scip VulDB Looks like This (Overview) area41 2014 5
  • 6. Introduction | scip VulDB Looks like This (Detail) area41 2014 6
  • 7. Design | What Should Your Vulnerability Database Do? ◦ How much? ◦ Full coverage ◦ Selective collection ◦ Inventory-only ◦ Vendor-selection ◦ Importance threshold ◦ Fixed only ◦ For whom? ◦ Everyone ◦ Public service ◦ Advertisement ◦ Customers ◦ Vulnerability management service ◦ Alerting service ◦ Tools ◦ Internal Use ◦ Knowledge-base ◦ For pentesters ◦ For administrators area41 2014 7
  • 8. Design | What Is an Entry? ◦ A VDB entry consists of different elements. Minimal elements usually are: ◦ ID 12413 ◦ Title Linux Low-Address Protection Denial of Service ◦ Disclosure Date 02/21/2014 ◦ Description A vulnerability, classified as (…) ◦ Risk Rating problematic ◦ References CVE-2014-2039, BID 65700, … area41 2014 8
  • 9. Design | Details Are Cool… ◦ Entry ◦ Software ◦ … ◦ Vulnerability ◦ … ◦ Advisory ◦ … ◦ Exploit ◦ Availability → yes|no ◦ Publicity → public|private ◦ Disclosure Date → yyyyMMdd ◦ Developer → $name ◦ Language → Ruby|Python|C|… ◦ Reliability → low|medium|high ◦ … ◦ Countermeasure ◦ … ◦ Sources ◦ … ◦ Tools ◦ … ◦ Misc ◦ … area41 2014 9
  • 10. Design | But Details Take Time! ◦ We have compiled more than 13’400 entries since 2003 ◦ A scip VulDB entry consists of ~150 possible data points ◦ We rate data points to prioritize: ◦ Important = 33 (must be processed if available) ◦ Normal = 32 (shall be processed) ◦ Optional = 85 (can be processed, if you have «too much time») ◦ Statistical analysis of defined data points over all entries: ◦ Average = 49.92 ◦ Min = 26 ◦ Max = 90 ◦ We currently add ~15 new entries per day (work-days only) area41 2014 10
  • 11. Sources | Possible Sources ◦ Vulnerability databases ◦ Vulnerability contributors (iDefense VCP, HP ZDI) ◦ Infosec mailinglists ◦ Vendor mailinglists ◦ Vendor advisories ◦ Code repositories ◦ News ◦ Blogs ◦ Social networks (e.g. Twitter, G+, LinkedIn) ◦ Friends, colleagues, co-workers, … area41 2014 11
  • 12. Sources | Vulnerability Databases: Advantages and Disadvantages VDB  Pros Cons IBM X-Force http://xforce.iss.net • Good coverage • CVSSv2 base scores • CVSSv2 temporal scores • CVE support • Sometimes a bit slow (2-3 updates per week) • «Arbitrary» listing (default view: 5 entries, no backlog) • No RSS feed OSVDB http://www.osvdb.org • Very quick (daily updates) • Best coverage (everything!) • CVSSv2 base scores (via MITRE) • CVE support • No listing (since Feb 2014) • No own risk rating (CVSSv2 only) • No RSS feed (since 2012) Secunia http://secunia.com/community /advisories/historic/ • Good coverage • Good listing (default view: 25 entries) • CVE support • Login required (since Apr 2014) • Some details for paying customers only • Combining multiple vulnerabilities in one entry (by release/patch) • They don’t like other projects (they forbade to use their listing for vulscan.nse in 2013) • No RSS feed • No CVSSv2 scores SecurityFocus http://www.securityfocus.com/ bid • Good coverage • CVE support • Listing also shows updated entries (default view: 31 entries) • Site is slow • Data for an entry is spread over 5 sub- pages • No CVSSv2 scores SecurityTracker http://securitytracker.com • Sometimes quite quick • Simple listing (default view: 5 entries) • CVE support • Selective coverage (popular products only) • No CVSSv2 scores
  • 13. Sources | Evaluation Rating Introduction ◦ Criteria are those we think are important ◦ We have addressed them as far as possible in our project (because of this prioritization) ◦ Rating is as fair as possible ◦ You might rate a bit differently Description Rating Feature is supported: always/fully 3 Feature is supported: often/partially 2 Feature is supported: sometimes/somehow 1 Feature is never/not supported 0
  • 14. Sources | Vulnerability Databases: Rating VDB  Coverage (howmuch) Quickness (howfast) Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE Feeds (howaccessible) Total CERT VU http://www.kb.cert.org/vuls/ 1 3 3 2 2 3 0 3 3 3 3 26 Exploit-DB http://www.exploit-db.com 1 3 3 3 2 2 0 0 0 3 3 20 IBM X-Force http://xforce.iss.net 3 1 1 1 2 2 0 3 3 3 0 19 NIST NVD http://nvd.nist.gov 2 1 3 3 2 2 0 3 0 3 3 22 MITRE CVE http://cve.mitre.org 2 1 3 2 2 2 0 0 0 3 2 17 OSVDB http://www.osvdb.org 3 3 0 2 2 2 0 2 0 3 0 17 Secunia http://secunia.com/community/advisories/historic/ 3 2 3 3 2 2 3 0 0 3 0 21 SecurityFocus http://www.securityfocus.com/bid 3 2 2 2 1 2 0 0 0 3 0 15 SecurityTracker http://securitytracker.com 1 2 3 2 3 2 0 0 0 3 0 16 scip VulDB (rating ourselves comes with bias) http://www.scip.ch/en/?vuldb 2 2 3 2 3 3 3 3 3 3 3 30  2.1 2.0 2.4 2.2 2.1 2.2 0.6 1.4 0.9 3.0 1.4
  • 15. Sources | Vulnerability Databases: Conclusion ◦ Being quick is not easy ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ CVE has been established as the de facto standard (nice!) ◦ You can’t compare CERT VU, Exploit-DB, NIST NVD and MITRE CVE with anything else ◦ Exploit-DB inherits abstraction from researchers and is not self- consistent ◦ Secunia and SecurityFocus are very similar in many aspects ◦ X-Force and SecurityTracker remain pretty unpopular ◦ The «O» in OSVDB does not stand for «open» anymore ◦ Some features have been broken for ages (e.g. search on OSVDB and X-Force) ◦ Not everyone is a big fan of feeds area41 2014 15
  • 16. Sources | Vendor Advisories: Advantages and Disadvantages Vendor  Pros Cons Adobe http://helpx.adobe.com/security. html • Product-related listing • Some technical details • Priority rating • CVE support • Advisory per release/upgrade • No RSS feed Apple • Simple technical details • CVE support • No risk rating • No CVSSv2 scores • No listing • Advisory per release/upgrade • No RSS feed Cisco https://tools.cisco.com/security/c enter/publicationListing.x • Advisory listing • Advisory per vulnerability • Sometimes additional technical details • CVSSv2 base scores • CVE support • Technical details with login only • Some details for customers only • No RSS feed Google • CVE support • No listing • Advisory per release/upgrade • Technical details with auth only • No risk rating • No CVSSv2 scores • No RSS feed Microsoft http://technet.microsoft.com/sec urity/advisory • Some technical details • Listing (default view: 5 entries) • RSS feed • Patch day collection (2nd Tuesday of each month) • Severity rating • No CVSSv2 scores Oracle http://www.oracle.com/technetwo rk/topics/security/alerts- 086861.html • Simple listing • CVSSv2 base scores • CVE support • Patch day collection (quarterly) • No technical details • No RSS feed
  • 17. Sources | Vendor Advisories: Rating Vendor VulnID (howunique) Frequency (howfast) Listing (howvisible) TechDetails (howdetailed) Risk (howmeasured) CVSS Base CVSS Temporal CVE RSS Total FortiGuard http://www.fortiguard.com/advisory/ 3 3 3 3 3 0 0 3 3 21 Symantec http://www.symantec.com/security_response/securityupdates/list.jsp 3 3 3 3 0 3 0 3 3 21 Microsoft http://technet.microsoft.com/security/advisory 3 2 3 3 3 0 0 3 3 20 Checkpoint https://www.checkpoint.com/defense/advisories/public/summary.html 3 2 3 2 3 0 0 3 3 19 Cisco https://tools.cisco.com/security/center/publicationListing.x (details auth only) 3 3 3 3 0 3 0 3 0 18 Oracle http://www.oracle.com/technetwork/topics/security/alerts-086861.html 1 1 3 1 3 3 0 3 3 18 Adobe http://helpx.adobe.com/security.html 3 3 3 2 2 0 0 3 0 16 HP https://h20566.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive 3 3 3 1 0 3 0 3 0 16 SAP https://service.sap.com/sap/support/notes/ (auth only) 3 3 3 2 3 2 0 0 0 16 D-Link http://securityadvisories.dlink.com/security/ 3 3 2 2 0 0 0 2 0 12 Google http://www.google.com (details auth only) 3 3 1 2 0 0 0 3 0 12 Apple http://www.apple.com 1 2 1 1 0 0 0 3 0 8  2.66 2.58 2.58 2.08 1.41 1.16 0.0 2.66 1.25
  • 18. Sources | Vendor Advisories: Conclusion ◦ Some vendors have really ugly advisory URLs ◦ Technical details range from bad to good ◦ CVSS scores are pretty unpopular, especially «temporal scores» ◦ Own risk ratings are also unpopular, because they are hard ◦ Nearly everybody likes CVE ◦ Microsoft and Oracle handle things better than it felt ◦ Juniper has a field «Last Updated» but no «Disclosure Date» ◦ SAP is very restrictive with information for non-customers, which introduces a severe disadvantage (VDB’s can’t categorize them, which decreases visibility) ◦ Vendors aren’t big fans of RSS feeds either area41 2014 18
  • 19. Sources | Vuln Contributors: Advantages and Disadvantages Project  Pros Cons iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber- security/index.xhtml • Started in 2003 • Incomplete listing • No announcement of upcoming advisories • No CVSSv2 support • No search capabilities • No RSS feed • All old links are broken since Zero Day Initiative http://www.zerodayinitiative.com • Provide announcement for upcoming advisories • Provide CVSSv2 Base Scores • RSS feeds available • No search capabilities
  • 20. Sources | Vuln Contributors: Rating Project  Listing (howvisible) Search (howsearchable) Handling (howergonomic) TechDetails (howdetailed) RiskRating (howmeasured) CVSS Base CVSS Temporal CVE RSS Total iDEFENSE Vulnerability Contributor Program http://www.verisigninc.com/en_US/cyber-security/index.xhtml 3 0 3 2 0 0 0 3 0 11 Zero Day Initiative http://www.zerodayinitiative.com 3 0 3 2 0 3 0 3 3 17  3.0 0.0 3.0 2.0 0.0 1.5 0.0 3.0 1.5
  • 21. Sources | Vuln Contributors: Conclusion ◦ Only 2 major players ◦ They are quite similar in most aspects ◦ Zero Day Initiative has 2 advantages of CVSSv2 and RSS support ◦ More competition might increase quality area41 2014 21
  • 22. Interpretation | How to Analyze ◦ The basic approach of processing a source is simple: 1. Check source for new entries 2. Review source entry 3. Add necessary data to database 1. If entry is available → Update existing entry 2. If entry is not available → Create new entry 3. If source is false-positive → Ignore entry and flag for future reference 4. Goto 1 area41 2014 22
  • 23. Interpretation | MITRE CVE as an Example cve description advisory cert vu software
  • 24. Interpretation | MITRE CVE as an Example: What Is missing? ◦ What’s missing on a MITRE CVE entry? ◦ Disclosure date ◦ Exact naming of vulnerability class ◦ Risk rating ◦ Person responsible for disclosure ◦ Detailed mitigation/countermeasure ◦ … area41 2014 24
  • 25. Interpretation | OSVDB as an Example cve sectracker product version description date exploit news
  • 26. Interpretation | Contradicting Conventions (Disclosure Date) 02/19/2014 02/26/2014
  • 27. Interpretation | Contradicting Conventions (Disclosure Date) CVE-2014-2284 net-snmp 5.7.1 on Linux ICMP-MIB Denial of Service 02/19/2014 02/20/2014 02/21/2014 02/22/2014 02/23/2014 02/24/2014 02/25/2014 02/26/2014 02/27/2014 ... 03/24/2014 SourceForge ReleaseNote SecFocus SecTracker VulDB OSVDB Secunia RedHat Our definition of a (public) disclosure date: The earliest known date to disclose an issue to the public in an unrestricted way. (we’re going to adopt a more differentiated approach in the near future) 03/05/2014oss-security ...CVE
  • 28. Interpretation | Put the Different Pieces Together VDB  Product Version VulnClass Disclosure Date Advisory URL Attack Context Exploit Solution VulnDB Sources Misc. Links Total CERT VU http://www.kb.cert.org/vuls/ 3 2 3 2 3 3 1 3 0 1 21 Exploit-DB http://www.exploit-db.com 3 2 2 2 2 1 3 1 1 0 17 IBM X-Force http://xforce.iss.net 3 2 2 3 2 3 1 2 2 2 22 NIST NVD http://nvd.nist.gov 2 2 3 0 3 1 1 1 3 3 19 MITRE CVE http://cve.mitre.org 2 2 2 0 3 1 1 1 3 3 18 OSVDB http://www.osvdb.org 3 3 3 3 3 3 3 3 3 3 30 Secunia http://secunia.com/community/advisories/historic/ 2 2 2 2 3 1 1 2 0 0 15 SecurityFocus http://www.securityfocus.com/bid 3 3 3 3 2 1 2 2 0 1 20 SecurityTracker http://securitytracker.com 3 3 3 1 2 3 1 3 0 1 20 scip VulDB http://www.scip.ch/en/?vuldb 3 3 3 3 3 3 3 3 3 3 30  2.7 2.4 2.6 1.9 2.6 2.0 1.7 2.1 1.5 1.7
  • 29. Sources | Vulnerability Databases: Conclusion ◦ OSVDB provides the best collection of data ◦ Secunia provides the worst collection of data ◦ SecurityFocus and Secunia usually don’t provide context ◦ X-Force, SecurityTracker and Secunia don’t provide exploit details ◦ SecurityTracker and Secunia have confusing disclosure dates ◦ SecurityFocus, SecurityTracker and Secunia don’t link to other VDB area41 2014 29
  • 30. Correlation | That's Why You Have to Correlate ◦ Approach ◦ Merge different sources ◦ Compare similar data points ◦ Identify and verify contradictions ◦ Dangers ◦ Duplicates: Come up with annoying inconsistency ◦ Merges: Come up with dangerous mashups area41 2014 30
  • 31. Correlation | Now Things Are Getting Tricky ◦ Sometimes vulnerabilities can’t be identified individually ◦ CVE helps a lot! But not every vulnerability (immediately) has a CVE number ◦ Some sources merge vulnerabilities into one entry ◦ Vendors do this within their patch release notes or patch days ◦ Secunia tends to compile different vulnerabilities of the same day or patch generation into one entry (e.g. 58519). SecurityFocus does it sometimes (e.g. 67553) and so does SecurityTracker in some cases (e.g. 1030269). ◦ Vulnerabilities with very few technical details often can’t be distinguished from similar vulnerabilities (e.g. Apple HT6145: no info available, but CVE assigned) area41 2014 31
  • 32. Correlation | Keep Track, Detect Collisions ◦ Keep track of your sources and the entries already reviewed ◦ Verify that every new entry is really new and not just a duplicate or a minor fork of an existing entry. This is a very underestimated task! ◦ We do that with collision detection ◦ Compare new values with existing values of other entries (e.g. URLs, IDs, references). If there is a specified level of matches, we have to check for a duplicate. ◦ Our reference maps help to distinguish. Projects like vFeed support this very good. [https://github.com/toolswatch/vFeed/] area41 2014 32
  • 33. Correlation | To Split or Not to Split Parameter → 5 entries File → 4 entries Component → 3 entries Vuln Class → 2 entries Advisory/Patch → 1 entry Advisory #VA42 Cross Site Scripting User Auth login.php login_user login_pass News Portal news.php news_id archive.php news_year SQL Injection Board forum.php post_id area41 2014 33
  • 34. Correlation | Split Example (MS Patch Day, IE Vuls, Feb 2014) VulDB (vuln split) SecFocus* (vuln split) CVE (vuln split) Secunia (combined) Microsoft (combined) MS14-010 SA56796 CVE- 2014-0267 BID 65361 SID 12242 CVE- 2014-0268 BID 65392 SID 12239 … … … CVE- 2014-0293 BID 65394 SID 12241 area41 2014 34 * SecurityFocus often combines (e.g. BID 67553)
  • 35. Correlation | Unwanted Split (cPanel, Dec 2013) ◦ TSR 2013-0011, http://cpanel.net/tsr-2013-0011-full-disclosure/ ◦ 12/18/2013 cPanel WHM Reseller Login Handler Cookie information disclosure ◦ 12/18/2013 cPanel WHM Login Security Handler Token information disclosure ◦ 12/18/2013 cPanel WHM Branding Subsystem privilege escalation ◦ 12/18/2013 cPanel WHM usr/local/cpanel/share/counter privilege escalation ◦ 12/18/2013 cPanel WHM Daily Process Log Screen Stored cross site scripting ◦ 12/18/2013 cPanel WHM cPAddons Upgrade Handler Password information disclosure ◦ 12/18/2013 cPanel WHM Edit DNS Zone Interface information disclosure ◦ 12/18/2013 cPanel WHM SSH Authentication Handler privilege escalation ◦ 12/18/2013 cPanel WHM X3 Theme countedit.cgi Directory Traversal ◦ 12/18/2013 cPanel WHM Bandmin passwd privilege escalation ◦ 12/18/2013 cPanel WHM cpsrvd Bypass privilege escalation ◦ 12/18/2013 cPanel WHM Bandmin Reflected cross site scripting ◦ 12/18/2013 cPanel WHM API Call Handler UI::dynamicincludelist Directory Traversal ◦ 12/18/2013 cPanel WHM Database Handler privilege escalation ◦ 12/18/2013 cPanel WHM Backup Archive Handler privilege escalation ◦ 12/18/2013 cPanel WHM Config Handler Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM Translatable Phrase Handler Locale::Maketext privilege escalation ◦ 12/18/2013 cPanel WHM CSRF Protection Bypass Cross Site Request Forgery ◦ 12/18/2013 cPanel WHM cross site scripting ◦ 12/18/2013 cPanel WHM Logaholic Session File Handler /tmp privilege escalation ◦ 12/18/2013 cPanel WHM Virtualhost Installation Handler privilege escalation area41 2014 35
  • 36. Correlation | Split Pros and Cons ◦ Advisory / Patch ◦ Few entries ◦ Good for overview ◦ Good for patch management ◦ Vulnerability ◦ Some entries ◦ Possible splits for 3rd party components ◦ Element ◦ A lot of entries ◦ Good for statistical analysis area41 2014 36
  • 37. Quality | How to Provide the Best? ◦ Try to verify statements from researchers, vendors and vulnerability database maintainers ◦ Check for plausibility ◦ Verify from other sources ◦ Re-test within a lab ◦ Eliminate wrong statements ◦ Delete false entries ◦ Preserve false entries (prefered by CVE, SecurityFocus) ◦ Add further explanations ◦ Flag (prefered by OSVDB, scip VulDB) ◦ advisory_disputed=1 (e.g. scipID 13305, 13000, 12643) ◦ advisory_reportconfidence=UR (CVSSv2 temp score metric) ◦ Try to find and compile additional details area41 2014 37
  • 38. Extrapolation | Versions of Affected Software ◦ Exact Version ◦ Internet Explorer 10 → X-Force, OSVDB, SecFocus, Secunia, VulDB ◦ Wildcards ◦ Internet Explorer 6.x → Secunia, SecFocus, SecTracker, VulDB ◦ Ranges ◦ Internet Explorer 8 – 10 → Secunia, CVE ◦ Internet Explorer prior 10 → SecurityTracker, Secunia ◦ Internet Explorer before 10 → CVE ◦ Internet Explorer up to 10 → VulDB ◦ Internet Explorer 8 and later → SecurityTracker area41 2014 3810 119876 10 up to 10 8 to 10 Internet Explorer Versions before 10 …
  • 39. Extrapolation | What about The Unknown? ◦ Try to guess. Examples: ◦ «IE prior 9» → 6 – 9 ◦ «IE prior 11» → 7 – 10 ◦ Research and validate yourself ◦ A lot of work ◦ We combine with other projects (research or pentest) ◦ We enforce very important or interesting vulnerabilities ◦ Be quiet area41 2014 39
  • 40. Delivery | Chose your Channels ◦ Web Site ◦ Mail ◦ RSS ◦ Widgets ◦ Facebook ◦ Twitter ◦ LinkedIn ◦ App ◦ … area41 2014 40
  • 41. Statistics | Comparing Apples and Oranges ◦ Doing some statistics is easy. Doing it the right way is hard. Some say it is even impossible. [http://blog.osvdb.org/category/vulnerability-statistics/] ◦ Counting vulnerabilities doesn’t say anything: ◦ Weak code leads to a lot of vulnerabilities ◦ Complexity leads to a lot of vulnerabilities ◦ Popularity leads to a lot of vulnerabilities ◦ Bug bounty programs lead to a lot of vulnerabilities ◦ Open disclosure process leads to a lot of vulnerabilities ◦ We still provide statistical raw data and expect the viewers to think about it area41 2014 41
  • 42. Statistics | Timelines Are Interesting ◦ Our timelines consist of multiple data points ◦ vulnerability_introduction_date ◦ vulnerability_discovery_date ◦ vulnerability_vendorinform_date ◦ advisory_date ◦ advisory_confirm_date ◦ exploit_date ◦ countermeasure_date ◦ source_cve_assigned ◦ source_secunia_date ◦ source_nessus_date ◦ entry_timestamp_create ◦ entry_timestamp_update Example Heartbleed [CVE-2014-0160] area41 2014 42
  • 43. Statistics | Timelines Trivia (excerpt from 2014) ◦ [CVE-2014-0160] OpenSSL TLS/DTLS Heartbeat information disclosure got introduced in 01/01/2012 and fixed in 04/07/2014 ◦ existed 827 days ◦ [CVE-2014-0179] libvirt XML Entity Expansion Handler denial of service got introduced in 12/23/2009 and fixed in 05/06/2014 ◦ existed 1.595 days ◦ [CVE-2014-3122] Linux Kernel try_to_unmap_cluster() denial of service got introduced in 10/19/2008 and fixed in 04/10/2014 ◦ existed 1.996 days ◦ [CVE-2014-3460] Novell NetIQ Sentinel Agent Manager directory traversal vendor got informed in 09/04/2013 but did not respond until 05/19/2014 ◦ Novell ignored grace period of 257 days area41 2014 43
  • 44. Accessibility | Choose Additional Representation ◦ To allow users to work with your data, it might be the best way to provide additional forms of representation: ◦ SQL ◦ XML ◦ JSON ◦ CSV ◦ CVRF [http://www.icasi.org/cvrf] area41 2014 44
  • 45. Connectivity | Use Data for Vuln Scanning ◦ We are able to construct specific requests with our fields software_argument and software_input_value to create test cases and exploits (very simple for web-based vulns) ◦ Because of the fields software_* we are able to provide CPE lists [http://cpe.mitre.org/], which can be matched with tools like Nmap. Random examples: ◦ ID 12313 → cpe:/a:sap:netweaver:7.30 ◦ ID 12802 → cpe:/o:cisco:ios:15.4(1.1)t ◦ ID 13306 → cpe:/a:microsoft:internet_explorer:8 area41 2014 45
  • 46. Outro | Summary ◦ Vulnerability databases help to manage vulnerabilities ◦ Different sources allow to collect a broad amount of issues ◦ Every source has some advantages and disadvantages ◦ Compiling and maintaining vulnerabilities takes a lot of effort ◦ Making your data accessible helps others area41 2014 46
  • 47. Outro | Thank You ◦ I‘d like to thank a bunch of people which helped to discuss the many interesting aspects of vulnerability database management: ◦ Stefan Friedli, scip AG ◦ Steven M. Christey, MITRE area41 2014 47
  • 49. Security Is Our Business! scip AG Jakob-Fügli-Strasse 18 CH-8048 Zürich Tel +41 44 404 13 13 Fax +41 44 404 13 14 Mail info@scip.ch Web http://www.scip.ch Twitter http://twitter.com/scipag  Strategy | Consulting  Auditing | Testing  Forensics | Analysis area41 2014 49