bpmcdevitt/security_tools
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

added notes on cool talks

Browse source
This commit is contained in:
Brendan McDevitt 2022-08-17 22:04:44 -05:00
parent f6f2c3d69c
commit 81f6103ca8
1 changed files with 23 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
notes/notes_from_blackhat_2022.md
View file

@ -31,3 +31,26 @@ I did not see much on Microsoft based scanners, other than the Microsoft booth w
#### CSAF - Common Security Advisory Framework
This is a new standard being discussed around automating security advisories. As I noted [here](https://git.mcdevitt.tech/bpmcdevitt/data_importer/-/blob/main/doc/cna_readme_notes/cnas_with_html_advisories.md) as one example, there are many security advisories from various CNA's that have only an HTML table of their advisory data. They are a victim of the times, and we used to interpret thigns via web browsers. But now we need a way to pass around the security advisory data so our scanners that we are all focusing on building can accurately and reliably consume the data so there is no time gap, and so things are standarized and so we dont have to scrape html. This is happening through OASIS. I want to see if I can maybe sit in on a meeting to see how they go and how close it is to being adopted.
#### Cool talks
Since I walked more than 50 miles that week lol I managed to only go to 2
talks at Blackhat. One of them was a lunch and learn panel with Allan Friedman from CISA
and Ed Bellis, Jerry Gamblin, Michael Roytman from Kenna/Cisco, and Jay Jacobs from Cyentia Institute. The lunch and
learn was great because that was where I heard about CSAF. And it was the first
meal in vegas where I was able to eat purely vegan/vegeterian food. The meal
was delicious and the talk was great!
The second talk that I attended was super interesting. It was by Brian Gorenc
and Dustin Childs from Trend Micro/Zero Day Initiative. They are both super
experts and the talk focused on how security advisories are ommitting data from
the descriptions and just relying on CVSS alone and how thats not that great. I
think I can see it from both perspectives, the vendor not wanting to give the exploiters information and the exploiters that can
quickly write exploit code based on vuln descriptions. Both make sense, I'm not
sure leaving out vuln details in the description though will be that effective
and reducing exploits, hackers gonna hack yo.
They also showed examples of vendor 'dud patches' and poor patches based on
code from PoC. They showed how researcher often resubmits vulnerability (often
the same or slight variation) because they figured out the patch is a dud
pretty easily by reversing the code and seeing basically no differences. [link_to_slides](https://www.blackhat.com/us-22/briefings/schedule/index.html#calculating-risk-in-the-era-of-obscurity-reading-between-the-lines-of-security-advisories-26874)
I am for sure going to rewatch both talks when blackhat posts them online.