23 comments

[ 3.2 ms ] story [ 34.0 ms ] thread
I use the NVD feed directly:

https://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss-analyzed.xml

then filter out stuff I am not interested in using the filtering features of my RSS feed reader, but the feed is so comprehensive with all sorts of reports on obscure commercial packages I've never even heard about, and with relatively poor metadata about the packages (so you can't just filter out "anything having to do with Windows since I don't use Windows").

> During the import of initial data OpenCVE will download and parse huge files, like the CPE dictionnary. For that we recommend you 3.5G RAM at least.

Why oh why are streaming parsers not used?

This is a great self-hosted solution!

We built CyberSentinel (https://www.insurtechnix.com/) to solve two problems with this approach. Firstly the raw CVE feed is quite "noisy" so you need almost full NLP to get the best out. Secondly most organisations find it challenging to get an inventory of all their SW.

We also prioritize CVEs according to whether they have exploit code, and also whether they are targeted by exploit kits. There are only about 2 dozen CVEs at any time that are exploit kit targets, so patching just those gives a huge security ROI.

Greetings fellow LORCA alumni, you're solving a real problem but the website doesn't really tell that story as well as your comment.

I also think SME's care very little of CVE prioritization whereas enterprise fights this problem day in, day out!

Agree! It is hard to sell security to SMEs! Vitamins vs. pain-killers...

We do have success with enterprise and our goal (hence the name) is to integrate with cyber-insurance.

Are you aware of https://github.com/nexB/vulnerablecode? which offers a similar solution, is also open source and written in Python.
Thanks for this link to another project that I'd prefer.

Just a small nitpick though, both are "open source" but only one of them is "free". I know that's what you meant but wanted to point it out. Some open source software that most people like (ex. Sentry) is BSL so it's not an uncommon license.

BSL is open source software but you cannot "free"ly use it (to make money) -- GPL v2 is free software.

(comment deleted)
Not a huge fan of managing something as critical like this. GitHub has a dependancy management tool and also Snyk is a great addition to our pipeline for code packages and Docker Images.

Using both in production.

What do you like about Snyk above what GitHub provides?
Sorry for the delay with this!

Snyk is a bit fiddly and I'm not totally sold with the reporting/monitoring and how they work with branches. However they monitor Docker images which is key for me.

If GitHub offered Docker images scanning I wouldn't use Snyk

Also Snyk can be put in your merge request process so always nice to tell developers a new or legacy package has a vuln and to try and bump it up

I didn’t realize there were so many CVE-based tools out there! I even have an ultra-specific one for PHP (with some extra logic for support timelines). PHP Version Audit: https://www.github.developerdan.com/php-version-audit/

One thing I’ve noticed with PHP at least, is that their release docs will regularly have the CVE listed with the details for many days before it shows up in the CVE feed- even as long as a week. Sourcing only from the feeds is a bit slow, but perhaps that is limited to the process that PHP uses?

The usage of 'open' in the name is misguided.
My startup is providing a somewhat similar service to our customers. However, we also provide intel on suspicious activity regarding the customer's software on social media and on forums. This way our beta testers were able to prevent the OWA hacks that happened a few weeks ago. It's primarily targeted towards small and medium business that usually lack some deeper knowledge in cyber security and can't monitor this stuff themselves.