then filter out stuff I am not interested in using the filtering features of my RSS feed reader, but the feed is so comprehensive with all sorts of reports on obscure commercial packages I've never even heard about, and with relatively poor metadata about the packages (so you can't just filter out "anything having to do with Windows since I don't use Windows").
We built CyberSentinel (https://www.insurtechnix.com/) to solve two problems with this approach. Firstly the raw CVE feed is quite "noisy" so you need almost full NLP to get the best out. Secondly most organisations find it challenging to get an inventory of all their SW.
We also prioritize CVEs according to whether they have exploit code, and also whether they are targeted by exploit kits. There are only about 2 dozen CVEs at any time that are exploit kit targets, so patching just those gives a huge security ROI.
Thanks for this link to another project that I'd prefer.
Just a small nitpick though, both are "open source" but only one of them is "free". I know that's what you meant but wanted to point it out. Some open source software that most people like (ex. Sentry) is BSL so it's not an uncommon license.
BSL is open source software but you cannot "free"ly use it (to make money) -- GPL v2 is free software.
Not a huge fan of managing something as critical like this. GitHub has a dependancy management tool and also Snyk is a great addition to our pipeline for code packages and Docker Images.
Snyk is a bit fiddly and I'm not totally sold with the reporting/monitoring and how they work with branches. However they monitor Docker images which is key for me.
If GitHub offered Docker images scanning I wouldn't use Snyk
Also Snyk can be put in your merge request process so always nice to tell developers a new or legacy package has a vuln and to try and bump it up
I didn’t realize there were so many CVE-based tools out there! I even have an ultra-specific one for PHP (with some extra logic for support timelines).
PHP Version Audit: https://www.github.developerdan.com/php-version-audit/
One thing I’ve noticed with PHP at least, is that their release docs will regularly have the CVE listed with the details for many days before it shows up in the CVE feed- even as long as a week. Sourcing only from the feeds is a bit slow, but perhaps that is limited to the process that PHP uses?
There is also https://dependencytrack.org/ which allows you to gather your software dependencies and notifies you when new vulnerabilities are found for them.
My startup is providing a somewhat similar service to our customers. However, we also provide intel on suspicious activity regarding the customer's software on social media and on forums. This way our beta testers were able to prevent the OWA hacks that happened a few weeks ago. It's primarily targeted towards small and medium business that usually lack some deeper knowledge in cyber security and can't monitor this stuff themselves.
23 comments
[ 3.2 ms ] story [ 34.0 ms ] threadhttps://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss-analyzed.xml
then filter out stuff I am not interested in using the filtering features of my RSS feed reader, but the feed is so comprehensive with all sorts of reports on obscure commercial packages I've never even heard about, and with relatively poor metadata about the packages (so you can't just filter out "anything having to do with Windows since I don't use Windows").
https://github.com/anchore/grype
Why oh why are streaming parsers not used?
We built CyberSentinel (https://www.insurtechnix.com/) to solve two problems with this approach. Firstly the raw CVE feed is quite "noisy" so you need almost full NLP to get the best out. Secondly most organisations find it challenging to get an inventory of all their SW.
We also prioritize CVEs according to whether they have exploit code, and also whether they are targeted by exploit kits. There are only about 2 dozen CVEs at any time that are exploit kit targets, so patching just those gives a huge security ROI.
I also think SME's care very little of CVE prioritization whereas enterprise fights this problem day in, day out!
We do have success with enterprise and our goal (hence the name) is to integrate with cyber-insurance.
Just a small nitpick though, both are "open source" but only one of them is "free". I know that's what you meant but wanted to point it out. Some open source software that most people like (ex. Sentry) is BSL so it's not an uncommon license.
BSL is open source software but you cannot "free"ly use it (to make money) -- GPL v2 is free software.
https://en.m.wikipedia.org/wiki/Debian_Free_Software_Guideli...
To nitpick your nitpick: That wouldn't be open source but source-available software[0].
[0]: https://en.wikipedia.org/wiki/Source-available#Distinction_f...
https://security-tracker.debian.org/tracker/
Using both in production.
Snyk is a bit fiddly and I'm not totally sold with the reporting/monitoring and how they work with branches. However they monitor Docker images which is key for me.
If GitHub offered Docker images scanning I wouldn't use Snyk
Also Snyk can be put in your merge request process so always nice to tell developers a new or legacy package has a vuln and to try and bump it up
I once had the idea to create a CVE/Bounty platform running on Ethereum:
- wp:https://github.com/0xdefaceme/whitepaper
One thing I’ve noticed with PHP at least, is that their release docs will regularly have the CVE listed with the details for many days before it shows up in the CVE feed- even as long as a week. Sourcing only from the feeds is a bit slow, but perhaps that is limited to the process that PHP uses?