Vulnerability management is the identification, evaluation, classification and selection of a solution to eliminate vulnerabilities. Vulnerability management is based on vulnerability information repositories, one of which is the Advanced Monitoring Vulnerability Management System.

Our solution controls the appearance of information about vulnerabilities in operating systems(Windows, Linux/Unix-based), office and application software, hardware software, information security tools.

Data sources

Vulnerability Management System Database software"Prospective monitoring" is automatically replenished from the following sources:

  • Data Bank of Information Security Threats (BDU BI) of the FSTEC of Russia.
  • National Vulnerability Database (NVD) NIST.
  • Red Hat Bugzilla.
  • Debian Security Bug Tracker.
  • CentOS Mailing List.

We also use an automated method to replenish our database of vulnerabilities. We have developed a web crawler and unstructured data parser that analyzes more than a hundred different foreign and Russian sources every day for a number of keywords- groups in social networks, blogs, microblogs, media dedicated to information technology and information security. If these tools find something that satisfies the search criteria, the analyst manually checks the information and enters it into the vulnerability database.

Software Vulnerability Control

Using the Vulnerability Management System, developers can control the presence and status of discovered vulnerabilities in third-party components of their software.

For example, in the Secure Software Developer Life Cycle (SSDLC) model of a company Hewlett Packard Enterprise control of third-party libraries is one of the central places.

Our system monitors the presence of vulnerabilities in parallel versions / builds of the same software product.

It works like this:

1. The developer sends us a list of third-party libraries and components that are used in the product.

2. We check daily:

b. whether there are methods to eliminate previously discovered vulnerabilities.

3. We notify the developer if the status or scoring of the vulnerability has changed, in accordance with the specified role model. This means that different development teams within the same company will only be notified and see the status of vulnerabilities for the product they are working on.

Vulnerability Management System alert frequency is arbitrarily configurable, but when a vulnerability is found with a CVSS score greater than 7.5, developers will receive an immediate alert.

Integration with ViPNet TIAS

The ViPNet Threat Intelligence Analytics System software and hardware complex automatically detects computer attacks and identifies incidents based on events coming from various sources information security. The main source of events for ViPNet TIAS is ViPNet IDS, which analyzes incoming and outgoing network traffic using the bases of decision rules AM Rules developed by Perspective Monitoring. Some signatures are written to detect the exploitation of vulnerabilities.

If ViPNet TIAS detects an information security incident in which a vulnerability was exploited, then all information related to the vulnerability, including methods for eliminating or compensating for the negative impact, is automatically entered into the incident card from the SMS.

The incident management system also helps in the investigation of information security incidents by providing analysts with information about indicators of compromise and potential information infrastructure nodes affected by the incident.

Monitoring the presence of vulnerabilities in information systems

Another scenario for using a vulnerability management system is on-demand scanning.

The customer independently generates a list of system and application software and components installed on the node (workstation, server, DBMS, SZI SZI, network equipment) using built-in tools or a script developed by us, transfers this list to the SMS and receives a report on detected vulnerabilities and periodic notifications about them status.

Differences between the System and common vulnerability scanners:

  • Does not require installation of monitoring agents on hosts.
  • It does not create a load on the network, since the solution architecture itself does not provide for agents and scanning servers.
  • Does not create a load on the equipment, since the list of components is created system commands or a lightweight open source script.
  • Eliminates the possibility of information leakage. "Prospective monitoring" cannot reliably learn anything about the physical and logical location or functional purpose of a node in an information system. The only information that leaves the controlled perimeter of the customer is a txt file with a list software components. This file is checked for content and uploaded to the SMS by the customer himself.
  • For the system to work, we do not need accounts on controlled nodes. Information is collected by the node administrator on his own behalf.
  • Secure exchange information on ViPNet VPN, IPsec or https.

Connecting to the vulnerability management service "Prospective Monitoring" helps the customer to fulfill the requirement of ANZ.1 "Identification, analysis of vulnerabilities information system and prompt elimination of newly identified vulnerabilities ”orders of the FSTEC of Russia No. 17 and 21. Our company is a licensee of the FSTEC of Russia for activities to technical protection confidential information.

Price

The minimum cost is 25,000 rubles per year for 50 nodes connected to the system with a valid contract for connection to

Another way to look at this problem is that companies need to respond quickly when an application has a vulnerability. This requires that the IT department be able to definitively track installed applications, components and patches using automation tools and standard tools. There is an industry effort to standardize software tags (19770-2), which are XML files installed with an application, component, and/or patch that identify the installed software, and in the case of a component or patch, which application they are part of. The tags have publisher authority information, version information, a list of files with a filename, a secure file hash, and a size that can be used to confirm that the installed application is on the system and that the binaries have not been modified by a third party. These labels are signed digital signature publisher.

When a vulnerability is known, IT departments can use their asset management software to immediately identify systems with vulnerable software and can take steps to update systems. Tags can be part of a patch or update that can be used to verify that a patch has been installed. In this way, IT departments can use resources such as the NIST National Vulnerability Database as a means of managing their asset management tools so that once a vulnerability is submitted by a company to NVD, IT can immediately compare new vulnerabilities with theirs. by now.

There is a group of companies working through an IEEE/ISTO non-profit called TagVault.org (www.tagvault.org) with the US government on a standard implementation of ISO 19770-2 that will enable this level of automation. At some point these tags corresponding to this implementation will most likely be mandatory for software sold to the US government at some point in the next couple of years.

So in the end, it's good practice not to post what apps and specific software versions you're using, but that can be difficult, as previously stated. You want to make sure you have an accurate, up-to-date software inventory, that it is regularly compared against a list of known vulnerabilities such as NVD's NVID, and that the IT department can take immediate action to remediate the threat. This, along with the latest discovery Intrusions, anti-virus scanning, and other medium blocking methods will at the very least make it very difficult to compromise your environment, and if/when it does, it won't be detected for a long period of time.

In some cases, the occurrence of vulnerabilities is due to the use of development tools of various origins, which increase the risk of sabotage-type defects in the program code.

Vulnerabilities appear due to the addition of third-party components or freely distributed code (open source) to the software. Other people's code is often used "as is" without thorough analysis and security testing.

It should not be ruled out that there are insider programmers in the team who deliberately introduce additional undocumented functions or elements into the product being created.

Classification of software vulnerabilities

Vulnerabilities arise as a result of errors that occurred during the design or writing phase program code.

Depending on the stage of appearance, this type of threat is divided into design, implementation and configuration vulnerabilities.

  1. Design errors are the most difficult to detect and correct. These are inaccuracies of algorithms, bookmarks, inconsistencies in the interface between different modules or in the protocols of interaction with the hardware, the introduction of suboptimal technologies. Their elimination is a very time-consuming process, also because they can appear in non-obvious cases - for example, when the amount of traffic is exceeded or when a large amount of additional equipment is connected, which complicates the provision of the required level of security and leads to the emergence of ways to bypass the firewall.
  2. Implementation vulnerabilities appear at the stage of writing a program or introducing security algorithms into it. These are incorrect organization of the computational process, syntactic and logical defects. However, there is a risk that the flaw will lead to buffer overflows or other kinds of problems. Their discovery takes a long time, and the elimination involves fixing certain sections of the machine code.
  3. Hardware and software configuration errors are very common. Their common causes are insufficient quality development and lack of tests for correct work. additional features. Also included in this category are simple passwords and the default accounts left unchanged.

According to statistics, vulnerabilities are most often found in popular and widespread products - desktop and mobile operating systems, browsers.

Risks of using vulnerable programs

Programs in which they find largest number vulnerabilities are installed on almost all computers. On the part of cybercriminals, there is a direct interest in finding such flaws and writing for them.

Since quite a long time passes from the moment a vulnerability is discovered to the publication of a fix (patch), there are a fair number of opportunities to infect computer systems through security holes in the code. In this case, the user only needs to open, for example, a malicious PDF file with an exploit once, after which the attackers will gain access to the data.

Infection in the latter case occurs according to the following algorithm:

  • The user receives e-mail a phishing email from a trusted sender.
  • The file with the exploit is attached to the letter.
  • If the user attempts to open a file, then the computer is infected with a virus, trojan (encryptor) or other malware.
  • Cybercriminals gain unauthorized access to the system.
  • Valuable data is being stolen.

Research conducted by various companies (Kaspersky Lab, Positive Technologies) shows that there are vulnerabilities in almost any application, including antiviruses. Therefore, the probability of setting software, containing flaws of varying degrees of criticality, is very high.

To minimize the number of gaps in the software, it is necessary to use SDL (Security Development Lifecycle, secure life cycle development). SDL technology is used to reduce the number of bugs in applications at all stages of their creation and support. Thus, when designing software, information security specialists and programmers model cyber threats in order to find vulnerabilities. During programming, the process includes automatic means, immediately reporting potential flaws. Developers aim to significantly limit the features available to unverified users, which helps to reduce the attack surface.

To minimize the impact of vulnerabilities and damage from them, you must follow some rules:

  • Quickly install developer-released fixes (patches) for applications or (preferably) enable auto mode updates.
  • If possible, do not install dubious programs whose quality and technical support raise questions.
  • Use special vulnerability scanners or specialized functions of antivirus products that allow you to search for security errors and update software if necessary.

Currently, a large number of tools have been developed to automate the search for software vulnerabilities. This article will discuss some of them.

Introduction

Static code analysis is a software analysis that is performed on the source code of programs and is implemented without actually executing the program under study.

The software often contains various vulnerabilities due to errors in the program code. Errors made in the development of programs, in some situations, lead to a crash of the program, and therefore, the normal operation of the program is disrupted: in this case, data is often changed and corrupted, the program or even the system stops. Most of the vulnerabilities are related to incorrect processing of data received from the outside, or insufficiently strict verification of them.

Various tools are used to identify vulnerabilities, for example, static analyzers source code programs reviewed in this article.

Classification of security vulnerabilities

When the requirement for the correct operation of the program on all possible input data is violated, the emergence of so-called security vulnerabilities (security vulnerability) becomes possible. Security vulnerabilities can cause one program to be used to overcome the security limitations of the entire system as a whole.

Classification of security vulnerabilities depending on software errors:

  • Buffer overflow. This vulnerability occurs due to the lack of control over the out-of-bounds array in memory during program execution. When a data packet that is too large overflows the limited buffer, the contents of extraneous memory cells are overwritten, and the program crashes and crashes. By the location of the buffer in the process memory, buffer overflows are distinguished on the stack (stack buffer overflow), heap (heap buffer overflow) and static data area (bss buffer overflow).
  • Vulnerabilities "tainted input" (tainted input vulnerability). Corrupted input vulnerabilities can occur when user input is passed without sufficient control to an interpreter of some external language (usually a Unix shell or SQL language). In this case, the user can specify the input data in such a way that the launched interpreter will execute a completely different command than that intended by the authors of the vulnerable program.
  • Mistakes format strings(format string vulnerability). This type The security vulnerability is a subclass of the "corrupted input" vulnerability. It arises from insufficient parameter control when using the format I/O functions printf, fprintf, scanf, etc. of the C standard library. These functions take as one of the parameters character string A that specifies the input or output format for subsequent function arguments. If the user can set the formatting type himself, then this vulnerability could result from the failure of the string formatting functions.
  • Vulnerabilities as a result of synchronization errors (race conditions). Problems associated with multitasking lead to situations called "race conditions": a program not designed to run in a multitasking environment may believe that, for example, the files it uses when running can not be changed by another program. As a result, an attacker who replaces the contents of these working files in time can force the program to perform certain actions.

Of course, in addition to those listed, there are other classes of security vulnerabilities.

Overview of existing analyzers

The following tools are used to detect security vulnerabilities in programs:

  • Dynamic debuggers. Tools that allow you to debug a program while it is running.
  • Static analyzers (static debuggers). Tools that use the information accumulated during the static analysis of the program.

Static analyzers indicate those places in the program where an error might be found. These suspicious code snippets can either contain a bug or be completely harmless.

This article provides an overview of several existing static analyzers. Let's take a closer look at each of them.

At startup intelligent scanning Avast will check your PC for the following types of problems and then offer suggestions to fix them.

  • Viruses: files containing malicious code, which can affect the security and performance of your PC.
  • Vulnerable software: Programs that need to be updated and can be used by attackers to gain access to your system.
  • Browser extensions with a bad reputation: Browser extensions that are usually installed without your knowledge and affect system performance.
  • Weak passwords: passwords that are used to access more than one account on the Internet and can be easily hacked or compromised.
  • Network Threats: Vulnerabilities in your network that could allow attacks on your network devices and router.
  • Performance Issues: objects ( junk files and applications, settings related issues) that may prevent your PC from working.
  • Conflicting antiviruses: antivirus software installed on the PC with Avast. Multiple antivirus programs slows down the PC and reduces the effectiveness of anti-virus protection.

Note. Certain issues detected by Smart Scan may require a separate license to resolve. Detection of unnecessary problem types can be disabled in .

Solving problems found

A green check next to the scan area indicates that no issues were found related to it. A red cross means that the scan has identified one or more related issues.

To view specific details about the issues found, click solve everything. Smart Scan shows details of each issue and offers the option to fix it immediately by clicking on an item Decide, or do it later by clicking Skip this step.

Note. Antivirus scan logs can be seen in the scan history , which can be accessed by selecting Protection Antivirus.

Managing Smart Scan Settings

To change the Smart Scan settings, select Settings General Smart Scan and specify which of the listed types of problems you want to run a Smart Scan for.

  • Viruses
  • Outdated Software
  • Browser add-ons
  • Network Threats
  • Compatibility Issues
  • Performance Issues
  • Weak passwords

By default, all types of issues are enabled. To stop checking for a specific problem when performing a smart scan, click the slider Included next to the issue type so that it changes the status to Turned off.

Click Settings next to the inscription Scanning for viruses to change scan settings.