(My) BruCON 2015 notes (2)

Here are my quick notes from the BruCON 2015 conference.All the slides can be found here.

cve-search a free software to collect search and analyze common vulnerabilities and exposures in software

Some of the goals of the tool: bruCon

  • do vulnerability search on off-line local search.
  • fast lookup of vulnerabilities on different criteria.
  • allow localized classification of vulnerabilities; localization geographically or from the business perspective.
  •  build new tools based on local database of software and hardware vulnerabilities.

Some of the components/features of the tool:

  • db_updater.py
    • the goal of the script is to fetch vulnerabilities from different data-sources.
    • the data sources used are: NIST NVD, D2SEC, Microsoft Bulletin, vFeed.
    • the scrript can be extended to easily fetch other sources.
  • MongoDB
    • is the DB used to store the info.
  • search.py
    • used to search for vulnerabilities in the DB.
  • web interface
    • you can see, search
    • color scheme for vulnerabilities
  • you can use your own tagging system to weight the critical software/vendors in your constituency.
  • you can use statistics using external tools/languages like R
ex: searh.py -p oracle.....| jq -r '.cvss' | Rscript .........

Problems that face the application:

  • some vendors do not publish vulnerabilities information in a parsable way.
  • some vendors do not support the CPE naming convention.

Software using cve-search:

  • CVE-Portal
  • CVE-Scan
  • NorthernSec Vulnerability-Management (still under development)

Roadmap and future:

  • add vulnerabilities data sources from software and hardware vendors
  • expand cve-search to include vulnerabilities whitout CVE assignment.