VULNERABILITY MANAGEMENT

Vulnerability Management is a critical area in the security industry. As a community, we’ve built tools and created enterprise systems for scanning and classifying vulnerabilities. However, many organizations struggle to reduce risk and prioritize remediation efforts. There are several obstacles to effective vulnerability management, which this paper will identify and provide strategies for overcoming.

DOWNLOAD NOW


COLLABORATIVE TESTING WITH LAIR

One of the big challenges in security testing is coordination oftesting efforts and results between consultants, in multiple locations, working on a single test. Some specialized tools like Armitage have enabled teams to collaborate  on  specific  platforms  like  Metasploit,  but  there are few  tools  that  allow  collaboration that includes multiple  tools  and  platforms.  Lair  is  one attempt to  create  a  platform that normalizes  input from several  common  testing  tools  and  provides  a  single,  real-time  interface  for  gathering  vulnerability  data, tracking progress and tracking the work of multiple users.

DOWNLOAD NOW


HUNT / BURP SUITE FOR MANUAL TESTING AND METHODOLOGY

Hunt is a new plugin for the Burp Suite proxy and web application testing framework. It was built to accomplish two things. First, to allow for the use of customizable checklists and methodologies to help seasoned and junior testers alike with ensuring that a full application assessment is performed. Second, it passively scans the web application for common inputs and variables that are frequently associated with various vulnerabilities. Hunt is written in Python and uses JSON files for configuration and to store the scan rules as well as the methodologies.

DOWNLOAD NOW


SPECTRE & MELTDOWN

The Spectre & Meltdown process vulnerabilities have opened the door to a new type of memory vulnerability. Computer processor development has always been a balancing act, trying to get the highest performance while not causing unnecessary risk vectors (within reason). Akin to the information security “CIA” triangle, balancing data Confidentiality, Integrity and Availability, processor architecture development has had to balance performance and data isolation, amongst many other things. Ensuring Data cannot be leaked between processes is paramount. Spectre and Meltdown take advantage of specific compromises instituted in hardware generations long past. In this paper I aim to take the technical writeups by two of the original research discovery teams and boil them down, peppered with some newer information on how, and what, we can do going forward.

DOWNLOAD NOW