Vulnswatch: Managing Known Vulnerabilities In A Product

so guys hello servos Moin Moin hello Internet please do not use my imagine of voice to build AI models and then do silly stuff so today I'm going to talk about a problem which is quite well known and I suggest one of the possible tools to solve it we will try to figure out together if this tool might be useful for you or maybe you should use another one right nothing ultimate in this talk yeah but just like this is the twenty minutes really short talk so I have everything on one slide I will not click around and that's very nice right so like I'm the rule that's my name full let us sorry it's very complex I work at Genoa game

behad this is a company which is near Munich and we built basically firewalls VPN solutions with your labs laptops in any case like secure hardware is what we do some of our hardware has certain sorts and it can be used in so-called high security domain right so you can install it in government and then Angela Merkel is going to be protected with this stuff if you heard of pfsense you know what it is so we basically bundle something similar to PF sense but made in Germany this is one of our main cool products yeah so this slides online this slide has also following slides but their backup you can like check them out later and

I'm going to talk about vulnerability management so there is who is aware about all wasp top 10 project oh that's very cool so it's it's a great project please use it it's amazing you can read there about 10 most common vulnerabilities you you see on the web and for quite some years vulnerability a 9 space in the list and it's using existing components libraries I'm sorry with known vulnerabilities right and basically here I'm talking about vulnerability management's of the in this talk it means managing vulnerabilities in your systems right and this systems can be either network of your organization or your corporation it can be some system your developers build in your company it can be actually anything

which contains software right and might have vulnerabilities in this talk so who view is a developer works with developers here could you just give me your hand like could you tell me like what do you do to make sure that there are known libraries with existing vulnerabilities there if you like do anything can you tell me what you do actually to avoid such situation so it's a hard thing right because you update the library everything breaks who is paying for that right for fixing it nobody right but also just simply getting to know what is broken there is hard so we realized it in Genoa as well and although there are many tools they were not created in Guiana so we decided

to build our own and we built a very simple tool I'm explaining it now to you basically it's like a website you log in there and you tell my system contains off and you just use names right off OpenBSD which we use of squid maybe of Microsoft Windows 10 so you basically just name it you don't need to put any source code into it you just list the components and then once watch will show you the list of relevant vulnerabilities to you relevant cities you you have to look at so it's actually really nothing more than that but it's a simple tool it's I guess understandable usable and I'm going to show you right now real

quick how it's done so that's of course a live demo right so it never works but yeah so but once watch says hello to me cuz I'm login they're logged in they and it tells like create your first project basically the project is the description of your system right so let's do it it tells to do it with the blue color I named it somehow I don't know let's call it Microsoft's Network okay somebody didn't like it let's called BMW Network so basically here is the description of it and you have to just tell what's there on the network of BMW let's say there is a gamma g8 a product of Genoa alright because I guess

they use it let's say we have the Windows 10 let's say we use the WordPress for you just WordPress we don't know many word presses and basically that's it right you just comma separate what's on there it's created and now you can click view relevance now basically have three pages to look at right these are CVS which you can just check you know and some of them will be of course wrong right something will mention Microsoft Windows 10 although you know the wrong version or something so you see many of them do not match you you just select them all and you say you know let's react on them and you say it's okay it's not a problem I had a

look at it right and now it's so green so that's a very simple way to eliminate false positives just with the UI right and if you do it often enough you will have just the one screen Navy to go through and it's that's easy it's not much worse than having nothing for it right and I mean that's basically it right that's my presentation now I can talk about details if you want me to III think I think shirt blue the microphone well hello czar thank you I'm wondering how deeply won't swatch resolves dependencies because for example if we put in Ruby yeah then it's usually it uses the C library it uses open SSL and

then it uses image magic so you have this large network of dependencies how do you deal with that so basically one swatch is a very simple tool it doesn't go into details finding you even or if you put Ruby it will bring you all the cities which talk about Ruby that's it right if you want to have all these details you you want to have image magic you want to have more you can either put them in right if you want your codebase to be analyzed there is a cool tool for a wasp called dependency check maybe that's something better for you but I mean if you have your network like BMWs network right you can't put it inside

some CEU CD right you can describe it in one swatch though and by the way one swatch itself as we talked about Ruby it's a very simple Ruby on Rails application which you can just take from github is MIT license and you can just install it on your premises so it's a good private solution for you it's secure enough I mean as a web application so and you're part of the OS project so yeah that's true I mean I'm not like in a wast member but I'm responsible for Ruby on Rails security cheat sheet it should be secure as well well as good as web goes right yeah so basically how many minutes I have more I

have seven minutes more let me show you some more slides right do you have any questions for a moment

is there a that's a cool fish request there is no such way right now there is no such way right now but the database already knows the CBS s vectors for the CBS and you could basically edit without large hassle so yeah we have a future request here thank you for the presentation my my business case is that is a security manager supporting different teams and for each of the teams I want to make sure when they have entered their different software components that they get regular updates is this a feature which is already in will once watch it's called once watch of German is it is it already a feature or is it a feature request so basically

that was my intent to not to bother developers ever like once watch will update itself there will be a new vulnerabilities shown but there is intentionally no feature made to bug developers because they will just filter it into spam and switch it off for forever right that's how it works and there is one cool to another one it's called s a UCS Sox comm you can basically type in systems similar to one swatch in there and this one will send you the emails or them you know the developers and this one you will block and bounce what you will use but by the way Sox is a great tool it just works a little bit different you track their

individual products so you say I'm interested about Windows 10 and then you get everything about Windows 10 hear you say I develop these three systems these are their subsystems and then you have the list to look at and one sure would probably be to to add like this recursion as you mentioned it so if I'm using some JSON or JavaScript magic libraries then there's we know there's these thousand dependencies when you start a new project yeah so if you if you have a purely source code based project so if your project is not a network but one program maybe on NPM or maybe in rails then github has already now an integration of the software I

think it's called gymnasium so github will just show you two vulnerabilities so this is also one of the approaches I'm not sure how deep they look but this might be again like a little bit better mix there's a different focus area more like source code control for developers and there's two more for managing the infrastructure and components you maybe you can also put software components in here for your software project if for example tools like github integrated gymnasium gymnasium itself if they are not clever enough to get your internal dependencies yeah by the way so there are many more tools which we'll find problems in your source code in your systems this one just searches CDs

for non-stop so this is kind of how don't I miss the code execution in some very well-known component right so it's to not to miss very bold problems in your infrastructure network of software so this is what is for do we have more questions there are two

yeah that's approximately how it works so indeed you could have seen that after I created the project I could immediately see the list of vulnerabilities as there are so many vulnerabilities and you have to do a quick full-text search that's what I'm doing right now although there are CPS and pro that version numbers I mean I'm aware of that that doesn't quite work unfortunately right now there is a couchdb together with another regular indexed database in the background and it does the search so that what what makes it really fast and this is one of so you could think okay let me just do it with grab myself I don't need any tools so this tool will be just much

faster than some grab implement grab like implementation and two more questions okay right so what this program does it grow it takes an archived set of CDs of common vulnerabilities and explode exposures for nist and that's what it based its search on but there is nothing really strongly hard-coded so you could add potentially another source like very mean many people are interested in german sources but i think there are compilation of theories so I just don't include them right now hi thanks for presenting the tool I think it's always great to have tools too yeah ease the stuff that you have to do but it's not that exciting to fix all these vulnerabilities it's just one remark on

gymnasium you're correct that's a cool tool but they were shut down on May 15 because they have been acquired by good lab so if you jump into gymnasium right now be aware that's a short short period of time you can use it yeah so the very good remark so basically if you if you know what is gitlab it's like github which you can install on premises and this includes a very powerful tool called gymnasium which will show you the problems in your source if it can find it them so just use gitlab really good - okay any more questions sometimes I have to have a joke thing do you have a joke for us a joke well so let me show the

website of my company ok so basically this is how German government class security looks like right so for example the this this thing high resistance firewall ganna gate this is a very interesting thing which indeed protects many data centers with stuff you don't want to leak ok thank you very much

thank you