[Talk Proposal] Common Vulnerabilities and Exposures (CVE) and Vulnerability databases

[Yadnyawalkya]

Title of the talk

Common Vulnerabilities and Exposures (CVE) and Vulnerability databases

Why this talk?

PythonPune had great talks on security lately. Good to see people are showing interest in this area. We listen to vulnerability, CVE like catchwords all day without knowing what those are all about. This talk is a little effort for this awareness.

Description

Businesses of all sizes face a growing number of cyber-threats. The security tech stack is out of control and is directly proportional to the increasing risks of cyber-attacks and security breaches in industry. Keeping this stack up-to-date is a real challenge today. This talk is about different terms and models industry uses to keep track of these vulnerabilities.

In other words, this talk will cover things like,

• What is CVE
• Vulnerability databases
• CVE Numbering Authorities (CNA)
• What you can do if you think you found a security issue
• Recent security trends

Duration (including Q&A)

30-40 Minutes

Prerequisites

None.

Checklist

The talk/workshop speaker agrees to,

• Share the slides, code snippets and other material used during the talk
• If the talk is recorded, you grant the permission to release the video on PythonPune's YouTube channel under CC-BY-4.0 license
• Not do any hiring pitches during the talk and follow the Code of Conduct

[bhavin192]

This is going to be interesting and new information! Excited for this. This talk has been scheduled https://www.meetup.com/PythonPune/events/270883519/.

[Yadnyawalkya]

We got few interesting questions during talk

What are zero days?

"zero-day" referred to number of days maintainer have to fix certain vulnerability, and actually there are none. Once the vendors knows zero-days vulnerability, they usually create patches or advise workarounds to mitigate issues. Zero-days vulnerabilities generally gets very expensive payouts since vulnerabilities are unknown. Zerodium, acquisition platform for premium zero-days exploits mention it as, "We pay BIG bounties, not bug bounties!" for such payouts; indicates it could be huge.

Interesting read -

• https://en.wikipedia.org/wiki/Stuxnet
• https://zerodium.com/program.html

---

How to find let say PHP is vulnerable to flaw before using it?

Easiest way would be searching components and versions manually on MITRE's CVE list. There are new scanners this days, like Synk, though this can miss few things sometimes, so manual check always work. If your have PHP installed on your machine and you want to see if you are vulnerable to the flaw, you can also run OpenSCAP scan, which is Open Source tool.

---

Bug bounties and responsible disclosers

Bug bounty programs

• https://hackerone.com/directory/programs
• https://www.bugcrowd.com/bug-bounty-list

Resources for beginner bug-bounty hunters

• https://github.com/nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters

[bhavin192]

@Yadnyawalkya Thank you for answering common questions here 😄 Can you also share your slides?

[Yadnyawalkya]

@bhavin192 Sure. Here we go https://www.slideshare.net/yadnayawalkyatale/life-of-a-cve.