Vulnerability Intelligence – What, Where and How?
A key part of any risk assessment framework, vulnerability intelligence enables organizations to consider the broader picture when assessing a given vulnerability or set of vulnerabilities. Vulnerability intelligence providers consolidate data from multiple sources – both external and internal – and then offer a contextualized assessment of organizational risk. This can drastically tip the scales in your favor when facing mitigation or remediation.
Vulnerability intelligence vendors compile vulnerability information from different sources, including public and governmental organizations, software vendors, security professionals or organizations, and individuals. For each vulnerability, vulnerability intelligence providers examine historical data, criticality ratings, information about exploits, potential fixes and numerous other parameters that assist security practitioners in assessing risk. Some will also apply this knowledge to your organization’s unique business and technological environment, and recommend the best course of action.
Where Do You Get Vulnerability Intelligence?
There are numerous vulnerability intelligence providers, each with a slightly different methodology and focus. Some of the most prominent include:
WPScan is non-commercial and free WordPress vulnerability scanner designed to enable security professionals and blog stakeholders to ensure site security. Written in Ruby, the first version of WPScan went live in 2011, and the software is today maintained by a dedicated WPScan team and other contributors. Originally funded by BruCON’s 5by5 project, the WPScan Vulnerability Database is a database of WordPress Core, Plugin and Theme vulnerabilities and is compiled and maintained by the WPScan Team and various other contributors.
As of this writing the database contains 11,634 vulnerabilities, with four added in the past month. This included a total of 318 WordPress versions, 1665 plugins and 287 themes. WPScan uses CVE Identifiers to allow its users to cross-reference vulnerabilities with different tools and vulnerability databases.
Vulners is a Moscow-based, massive and continuously updated security content database that contains vulnerabilities, exploits, and patches – as well as bug bounty – all with a Google-style search. The Vulners database draws data from over 70 sources, including CVEs, exploits, articles, scripts, and more. All vulnerabilities have related references, definitions, and a severity ranking, as well as full information regarding known bulletins.
As of this writing, the database contains 1,062,109 bulletins covering 176,403 exploits. The company also offers vulnerability assessment subscriptions, which provide daily news to help security professionals keep with rapidly-appearing 0-day vulnerabilities. Further, the company’s AI-extended risk calculation engine scores the security impact of most known vulnerabilities.
Rubysec provides security resources specifically and exclusively for the Ruby community. Most notably, Rubysec created and continues to maintain the Ruby Advisory Database – a canonical, community-maintained, plain-text database of security vulnerability advisories affecting Ruby libraries and virtual machines. Now containing over a decade of Ruby vulnerability disclosure data, Rubysec was founded with the goal “…to improve the world’s security by preventing the use of vulnerable software,” according to founders Max Veytsman and Phillip Mendonça-Vieira in a recent announcement.
Recently, Dependabot – which creates pull requests to keep dependencies secure and up-to-date – used Rubysec data to determine the most secure and actionable strategy to keep dependencies on the bleeding edge.
The Zero Day Initiative (ZDI) was created to encourage the reporting of zero-day vulnerabilities privately to the affected software vendors. The thinking was that most vulnerabilities were being found by hackers looking to put them to malicious use, often for financial gain. ZDI offers legitimate researchers monetary compensation to discover zero-day vulnerabilities, thus encouraging positive players in the field to discover new flaws in software.
ZDI is currently the world’s largest vendor-agnostic bug bounty program. Taking a more discreet approach to vulnerabilities, ZDI does not send out technical details about a newly-discovered vulnerability publicly until the vendor has released a patch. The organization incorporates a global community of independent researchers, yet insulates these valuable resources from the burden of working directly with vendors – leaving them free to find other bugs.
AlienVault’s Open Threat Exchange (OTX) is the world’s largest open threat intelligence community – enabling collaborative defense with actionable, community-powered threat data. Supplanting traditional ad hoc, informal threat sharing, OTX facilitates government agencies and companies in gathering and sharing accurate, relevant, and timely data about new or ongoing cyber attacks and threats. This allows stakeholders to avoid major breaches or at least minimize damage from an attack.
Providing open access to a global community of researchers and security professionals, OTX boasts over 80,000 participants in 140 countries, contributing more than 19 million threat indicators daily. The company also offers a free threat-scanning service enables quick identification of malware and other threats on endpoints.
Knowing where to turn for information that can protect your company is the essence of vulnerability intelligence – and this requires research and time to make a final decision with so many threats to your enterprise, and sources for quality vulnerability intelligence.