-
Notifications
You must be signed in to change notification settings - Fork 0
Staying on Top of the Latest Vulnerabilities
While taking a class for the Certified Ethical Hacker exam, I came across the list that EC-Council recommends to follow in order to keep up-to-date on the latest vulnerabilities (posted at the end of this post, after the good links you should be following). Since I’m not the kind of person to just trust everything I read without further vetting, I went straight to the professionals: mentors at Operation Code in the #cybersecurity channel. I asked for reviews about this list, and I was not disappointed with the results. In a fashion I have become accustomed to when asking for reviews to this community, the list was immediately torn apart and a better list created on-the-fly by the community. So, without further ado, here are the best of the best ways:
- https://nvd.nist.gov/
- https://cve.mitre.org/
- https://www.us-cert.gov
- BugTraq
- Full Disclosure
- Slackware Security
- #grokmenot on irc.oftc.net
- https://technet.microsoft.com/en-us/
There was some great commentary on some of the items on this list.
Also subscribe to the security announcement lists for major software packages you use: your OS, outward-facing services, security tools, appliances, and anything that is a particular point of concern.
CVEs are like an after the fact thing it seems as one normally must notify the company first. And, threat intel researchers communicate within their own circles… but newbs don’t get access to those circles.
Watching new CVEs as released is a must, but they are still not the fastest thing and they ignore many vulns simply due to not having enough manpower to confirm. Mitre is very understaffed. I’ve never found anything on NVD that wasn’t already listed elsewhere, but it’s pretty good as a historical database in its own way.
You follow Bugtraq and Full Disclosure because a reliably large volume of early announcements go there. They also get some crap. However, scanning it 2-3x/day when you go through your email isn’t that hard, and you can easily pick out the handful of messages per week you care to read. Chances are, things found by amateurs will show up there first, or things in software that doesn’t have good notification channels of its own will too. These are things you really don’t want to miss because OTHER PEOPLE are likely to miss them and not patch/mitigate in a timely manner, so they’re ripe for exploitation on a “spray and pray” basis.
Slackware, for the set of things actually released in Slackware, is very good for sending clear and sober, easy-to-read security announcements in a much more timely fashion than most of the major distros. Only RHEL really keeps up with them on speed, and they have a huge staff and lots of $$$. Slackware is three volunteers. But, if you are new at reading vuln releases, the ones on the Slackware list are rewritten to be the easiest to read anywhere.
Much thanks to @mikerod_sd, @ohaiwalt, @hedgemage and @technicus on Slack for helping create this good list. I will edit this post with more links if the security pros on Operation Code either post it on slack or comment on this topic.
Here was the original list from EC-Council for staying on top of vulns, mostly for context.
https://technet.microsoft.com/en-us/
http://www.securitymagazine.com/
http://www.securityfocus.com/
https://www.helpnetsecurity.com/
http://www.hackerstorm.co.uk/
https://www.scmagazine.com/
http://www.computerworld.com/
http://www.hackerjournals.com/
http://www.windowsecurity.com/```