Vulnerability Funaliticswith vulners.com

Kir ErmakovSkolkovo Cyberday, 2016

2

#:whoami

- vulners.com founder

- QIWI Group CTO/CISO

- Web penetration tester

- Member of “hall-of-fames” (Yandex, Mail.ru, Apple and so on)

3

Vulners Database

- Google-style search engine

- 595.000+ security advisories, exploits and CVE’s

- 65 sources of content

- Security awareness subscriptions

- Linux audit API

4

CVE is not a vulnerability

- Suggested to be industry standard

- It’s just identifier

- It’s not forced to use

- Usually ignored

% of advisories without references

5

Reserved forever

- Dead CVEs

- Private vulnerabilities

- Mistakes

6

31337 CVE references

- CVE-2016-1000000

- CVE-2103-0989

- CVE-2014-123456

- CVE-2012-58626428

7

Nessus vs. OpenVAS

- All CVEs: 80196

- Nessus CVE links: 35032

- OpenVAS CVE links: 29240

8

Nessus vs. OpenVAS

- All CVEs: 80196

- Nessus CVE links: 35032

- OpenVAS CVE links: 29240

2673 OpenVAS

6639 Nessus

38207 OpenVAS 50896 Nessus

9

Vendor patch racingAverage “time to patch” in days

10

Scanner racing: RedHat

11

Scanner racing: Debian

12

What about exploit DBs?

- Nobody really cares

- It’s really hard to find the one, who marked CVE

- Match hell

% of exploits without references

13

Unique content. ORLY?

- Aggregation or plagiarism?

- Who was the origin?

- ±41% are duplicates

14

Exploit DBs

- Unique content they said

- Ultimate collection they said

- Matched to CVE they said

15

Thanks

- isox@vulners.com

- Analyze with us

- We are really trying to make this world better

- Stop paying for features that are available for free