Advice Request Vulnerability Management

  • Thread starter ForgottenSeer 65219
  • Start date

Please provide comments and solutions that are helpful to the author of this topic.

Status
Not open for further replies.
F

ForgottenSeer 65219

Thread author
as you know, one of the critical areas of security is vulnerability management.
I'm looking for best software or service here.
And the most important factor is the largest database that covers all my Softwares.
I have some Tools in my mind include :
Sumo ( Software Update Monitor )
Secunia psi ( I guess it's discontinued )
File Hippo App Manager
Heimdal Pro
Software Informer ( I don't try this one yet )

Any new software or a new way for this issue welcomed here.
thanks
 

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
I primarily use SUMo... but before I do that I run File Hippo App Manager out of convenience.

I also get update alerts from Kaspersky Total Security which will run the installation after I allow. But SUMo is my "go to" tool.
 
  • Like
Reactions: ForgottenSeer 65219

gorblimey

Level 2
Verified
Aug 30, 2017
99
one of the critical areas of security is vulnerability management.

Absolutely.

I'm looking for best software or service here.

Errrrrr, so soon? What risk analysis have you done?

Here's an example. It's legacy I know, but... There was a time when M$ Word and M$ Excel gave you the option--they even told you how to do it--in the app settings, to disallow macros. Then, one sunny day in Redmond, M$ decided you didn't need this safety setting. In an update, they totally removed it from Excel, and transferred it to a Command Line String in Word. M$ reasoning? "Macros are there for a reason. You don't need to disable them." And M$ also removed all reference to macro disablement from the Help files.

(BTW, FWIW, Lotus apps have always had app settings to disallow macros, and they tell you how to do it in the Help files. It's just a shame that Lotus SmartSuite is now abandonware, nearly 20 years old and still better than Microsoft Office--IMHO.)

So armed with this knowledge, the next question should be "What productivity benefit comes from an upgrade?" And if the answer is "Just the nice shiny Ribbon for my tools!" then and only then should you ask "Is the new product more secure against hijacking?"

Let's consider Chromium. Google claims it is the "most secure browser ever". OTOH, do you really trust Google? Before you answer, remember that Gmail's proud motto is "All your email are belong to us!" Now Mozilla--itself deeply suspect for many reasons--at least lets you lift the hood (as did the old Presto engine) and tweak lots of settings. One interesting setting of great importance these days is the ability to securely renegotiate an encryption protocol. And many so-called secure websites (Apple, I'm looking hard at you here) have this disabled. There are two Mozilla config settings aimed straight at this:

security.ssl.require_safe_negotiation;true (user set)
security.ssl.treat_unsafe_negotiation_as_broken;true (user set)


They produce this in a Mozilla browser if you set the above configs.:

Secure Connection Failed

An error occurred during a connection to www apple com.

Peer attempted old style (potentially vulnerable) handshake.

(Error code: ssl_error_unsafe_negotiation)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.


If you leave the configs as false, you have just given threat actors access to your traffic. Mmmmm, M$ also doesn't expose these, but in their view you're not clever enough to understand them.

Updates... Windows updates anyone? Be careful. More than one windows update has borked some systems. Linux--you know, the "secure" OS? Just go to Linux Linux Kernel : List of security vulnerabilities and count over 500 with CVSS scores 7-7.99. Apple? Apple : Products and vulnerabilities

Really?

My advice is very simply "Update any app ONLY when performace is an issue, OR the publisher has fixed a specific and dangerous security leak." Most of my production software is legacy, W98. All the rest has been upgraded for production and maintenance reasons. For example, this was drafted in TED Notepad (TED Notepad - free notepad replacement) because M$ Notepad sucks in every possible way.

And all the above applies equally to OS updates and patches. Do your homework before you allow such things in. Install them using the criteria above. At the very least, create a System Image before you install them, you may be able to roll back.

Vulnerability scanners are no different from System Cleaners: they do nothing you can't, and they do it with less care. Put it this way: will any vulnerability scanner tell you you have UPnP working? That you have an exposed port (1900 UDP and 5000 TCP) soliciting traffic like you're in a red light district?

If it ain't broke, DON'T FIX IT!!!!!!!!!!!!!!!
 
F

ForgottenSeer 65219

Thread author
Absolutely.



Errrrrr, so soon? What risk analysis have you done?

Here's an example. It's legacy I know, but... There was a time when M$ Word and M$ Excel gave you the option--they even told you how to do it--in the app settings, to disallow macros. Then, one sunny day in Redmond, M$ decided you didn't need this safety setting. In an update, they totally removed it from Excel, and transferred it to a Command Line String in Word. M$ reasoning? "Macros are there for a reason. You don't need to disable them." And M$ also removed all reference to macro disablement from the Help files.

(BTW, FWIW, Lotus apps have always had app settings to disallow macros, and they tell you how to do it in the Help files. It's just a shame that Lotus SmartSuite is now abandonware, nearly 20 years old and still better than Microsoft Office--IMHO.)

So armed with this knowledge, the next question should be "What productivity benefit comes from an upgrade?" And if the answer is "Just the nice shiny Ribbon for my tools!" then and only then should you ask "Is the new product more secure against hijacking?"

Let's consider Chromium. Google claims it is the "most secure browser ever". OTOH, do you really trust Google? Before you answer, remember that Gmail's proud motto is "All your email are belong to us!" Now Mozilla--itself deeply suspect for many reasons--at least lets you lift the hood (as did the old Presto engine) and tweak lots of settings. One interesting setting of great importance these days is the ability to securely renegotiate an encryption protocol. And many so-called secure websites (Apple, I'm looking hard at you here) have this disabled. There are two Mozilla config settings aimed straight at this:

security.ssl.require_safe_negotiation;true (user set)
security.ssl.treat_unsafe_negotiation_as_broken;true (user set)


They produce this in a Mozilla browser if you set the above configs.:

Secure Connection Failed

An error occurred during a connection to www apple com.

Peer attempted old style (potentially vulnerable) handshake.

(Error code: ssl_error_unsafe_negotiation)

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.

Please contact the website owners to inform them of this problem.


If you leave the configs as false, you have just given threat actors access to your traffic. Mmmmm, M$ also doesn't expose these, but in their view you're not clever enough to understand them.

Updates... Windows updates anyone? Be careful. More than one windows update has borked some systems. Linux--you know, the "secure" OS? Just go to Linux Linux Kernel : List of security vulnerabilities and count over 500 with CVSS scores 7-7.99. Apple? Apple : Products and vulnerabilities

Really?

My advice is very simply "Update any app ONLY when performace is an issue, OR the publisher has fixed a specific and dangerous security leak." Most of my production software is legacy, W98. All the rest has been upgraded for production and maintenance reasons. For example, this was drafted in TED Notepad (TED Notepad - free notepad replacement) because M$ Notepad sucks in every possible way.

And all the above applies equally to OS updates and patches. Do your homework before you allow such things in. Install them using the criteria above. At the very least, create a System Image before you install them, you may be able to roll back.

Vulnerability scanners are no different from System Cleaners: they do nothing you can't, and they do it with less care. Put it this way: will any vulnerability scanner tell you you have UPnP working? That you have an exposed port (1900 UDP and 5000 TCP) soliciting traffic like you're in a red light district?

If it ain't broke, DON'T FIX IT!!!!!!!!!!!!!!!
First Thank you for all time to write this great comment.
You mention " If it ain't broke, DON'T FIX IT ". That's True But I don't have that much time to check each software Release note but I understand your point.
The whole goal of this question Briefly is Automation.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top