Get Mystery Box with random crypto!

Vulnerability Management and more

Logo of telegram channel avleonovcom — Vulnerability Management and more V
Logo of telegram channel avleonovcom — Vulnerability Management and more
Channel address: @avleonovcom
Categories: Technologies , Blogs
Language: English
Subscribers: 1.79K
Description from channel

Vulnerability assessment, IT compliance management, security automation and other beautiful stuff. Discussion group for this channel: @avleonovchat. PM me @leonov_av

Ratings & Reviews

2.00

2 reviews

Reviews can be left only by registered users. All reviews are moderated by admins.

5 stars

0

4 stars

0

3 stars

1

2 stars

0

1 stars

1


The latest Messages 3

2022-05-24 00:15:46 Hello everyone! In this episode, I want to talk about the latest updates to my open source vulnerability prioritization project Vulristics.

Video:


Video2 (for Russia): https://vk.com/video-149273431_456239088
Blogpost: https://avleonov.com/2022/05/23/vulristics-may-2022-update-cvss-redefinitions-and-bulk-adding-microsoft-products-from-ms-cve-data/
345 views21:15
Open / Comment
2022-05-20 00:40:06 Video of my PHDays talk
In Russian:


In English (simultaneous translation):


Keep in mind that this translation is not very accurate, I'm going to make a new video in English for @VMconf. So maybe it's better to wait for a new video.

#phdays11
314 views21:40
Open / Comment
2022-05-20 00:01:01
Independence Era is our choice!
#phdays11
305 viewsedited  21:01
Open / Comment
2022-05-16 20:35:52 upd. Video of the stream:



Tomorrow at 11:00 am (MSK) I will be participating in a two-hour online Vulnerability Management conference hosted by AM Live. I invite all Russian-speaking followers to watch.
244 viewsedited  17:35
Open / Comment
2022-05-11 15:08:32
I'm going to participate in #PHDays11 next week. The New Reality of Information Security and Vulnerability Management.
301 views12:08
Open / Comment
2022-05-11 00:52:30 Hello everyone! This video was recorded for the VMconf 22 Vulnerability Management conference, @VMconf #VMConf22. I will be talking about malicious open source and the cost of using someone else’s code. To be honest, at the beginning of the year I did not plan to talk about these things. But life changes rapidly and unpredictably, so it becomes impossible not to talk about this.

Video:


Video2 (for Russia): https://vk.com/video-149273431_456239086
Video in Russian (CISO Forum 2022):


Blogpost: https://avleonov.com/2022/05/11/malicious-open-source-the-cost-of-using-someone-elses-code/
392 viewsedited  21:52
Open / Comment
2022-04-23 12:34:21 Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my Vulristics project. I decided to add more comment sources. Because it's not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers.

You can see them in my automated security news telegram channel @avleonovnews after every second Tuesday of the month. So, now you can add any links with CVE comments to Vulristics.

PS: Tenable closed access to their tenable(.)com. This is rather ironic considering that Russian Tenable Security Day took place on February 10, 2022, just two months ago. I participated in it. It was a formal event with Tenable's EMEA CTO and Regional Manager. And now we are not talking about any support, updates and licenses for Russian companies and individuals, but even about access to the Tenable website. This is how the situation can change rapidly, if you trust Western vendors. Try not to do this. But in any case, you can still use the Tenable blog as a source of comments about Patch Tuesday vulnerabilities. I have added socks proxy support to Vulristics.

Video:


Video2 (for Russia): https://vk.com/video-149273431_456239085
Blogpost: https://avleonov.com/2022/04/23/microsoft-patch-tuesday-april-2022-and-custom-cve-comments-sources-in-vulristics/
Full report: https://avleonov.com/vulristics_reports/ms_patch_tuesday_april2022_report_with_comments_ext_img.html
226 viewsedited  09:34
Open / Comment
2022-04-17 02:12:32 Hello everyone! After a two-year break, I took part in Moscow CISO Forum 2022. CISO Forum is the first major Russian conference since the beginning of The New Reality of Information Security (#TNRoIS). My presentation was just on this topic. How malicious commits in open source projects change development and operations processes. I will make a separate video about this. In this episode, I would like to tell you a little about the conference itself.

Video:


Video2 (for Russia): https://vk.com/video-149273431_456239084
Blogpost: https://avleonov.com/2022/04/17/ciso-forum-2022-the-first-major-russian-security-conference-in-the-new-reality/

#CISOForum #CISOForum2022
64 viewsedited  23:12
Open / Comment
2022-04-07 22:25:00 Hello everyone! After a two-year break, I'm going to give a short talk "Malicious Open Source: the cost of using someone else's code" at the Moscow CISO Forum next Tuesday. It will be about node-ipc issue and so-called protestware (although I think "poisoning the well" is much better allegory for such behavior). Do you know of any good examples that I should mention?
381 viewsedited  19:25
Open / Comment
2022-04-04 19:59:40 Hello everyone! In this episode, let’s take a look at the latest vulnerabilities in Gitlab. On March 31, the Critical Security Release for GitLab Community Edition (CE) and Enterprise Edition (EE) was released. GitLab recommends that all installations running a version affected by the issues described in the bulletin are upgraded to the latest version as soon as possible.

Unfortunately, Gitlab, as well as some other Western companies, is currently hostile to the country where I live and work. So their calls to immediately install updates now have additional connotations. If Gitlab is so clearly politically motivated that even the logo on their site has been recolored in a certain way, then what else can be expected from their updates? Backdoors? Malicious functionality that wipes data? Quite possible. IMHO, when companies are so willing to mix geopolitical messages and business, it exposes them as unreliable vendors that should be avoided.

But let’s get back to vulnerabilities. There are 17 CVEs in the bulletin. We will start with the most critical one.

Video:


Video2 (for Russia): https://vk.com/video-149273431_456239079
Blogpost: https://avleonov.com/2022/04/04/gitlab-omniauth-static-passwords-and-stored-xss/

#GitLab #OmniAuth
705 views16:59
Open / Comment