[B! vuls][ssvc] ishideoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

ishideo id:ishideo

vulsã¨ssvcã«é–¢ã™ã‚‹ishideoã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (6)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

Vulsã¾ã¤ã‚Š#10 | ã€Œæ®‹æ¥ï¼Ÿæ¥é€±ã§OK?ã€é‡‘æ›œåˆå¾Œã®è„†å¼±æ€§å¯¾å¿œåˆ¤æ–ã«ä½¿ãˆã‚‹SSVCã®ãƒ‡ãƒ¢ | ãƒ‰ã‚¯ã‚»ãƒ«
ishideo 2024/08/27
vulncheck-kev

kev

ssvc

vulnerability

comparison

slide

vuls
ãƒªãƒ³ã‚¯
SSVCã«ãŠã‘ã‚‹ Human Impact æ±ºå®šæ–¹æ³•ä¾‹ | Vuls Blog
æ¦‚è¦SSVC ã§ Deployer Tree ã‚’ä½¿ã†éš›ã«ã€HUMAN IMPACT ã®è¨å®šã«æˆ¸æƒ‘ã†ã“ã¨ãŒå¤šã„ã¨æ€ã„ã¾ã™ã€‚SSVC ã®å®šç¾©ä¸Šã§ã‚‚ã€è¤‡é›‘ãªã®ã§è©³ç´°ãŒé¿ã‘ã‚‰ã‚Œã¦ã„ã‚‹ã‚ˆã†ã«è¦‹ãˆã¾ã™ã€‚ ã¾ãŸã€å®Ÿé‹ç”¨ä¸Šã§ã‚‚ã€Œè„†å¼±æ€§ã²ã¨ã¤ãšã¤ã€HUMAN IMPACT ã‚’å®šç¾©ã™ã‚‹ã“ã¨ã¯é›£ã—ãï¼ˆè„†å¼±æ€§æ¯Žã«å®šç¾©ã‚’ã™ã‚‹ã“ã¨ã«ãªã‚‹ï¼‰ã€ä½•ã‚‰ã‹ã®æ¨™æº–åŒ–ãŒå¿…è¦ã¨ãªã‚Šã¾ã™ã€‚ æœ¬è¨˜äº‹ã§ã¯ã€SSVC ã®å®šç¾©ä¸Šã§ã® HUMAN IMPACT ã«ã¤ã„ã¦ç¢ºèªã—ã€å®Ÿé‹ç”¨ä¸Šã®HUMAN IMPACTã®å®šç¾©ã§åˆ©ç”¨ã§ããã†ãªãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã‚’ã”ç´¹ä»‹ã—ã¾ã™ã€‚ Exective summaryæœ¬æ¥çš„ã« HumanImpact ã¯ã€Situated Safety Impact ã¨ Mission Impact ã‚’ã‚‚ã¨ã«è€ƒãˆã‚‹ã®ãŒè‰¯ã„ã¨æ€ã‚ã‚Œã¦ã„ã¾ã™ã€‚ ã—ã‹ã—ãªãŒã‚‰ç¾æ™‚ç‚¹ã® SSVC ã®è€ƒãˆæ–¹ã§ã¯ã€å®Ÿè£…ã®ç°¡ç´ åŒ–ã®ãŸã‚ã€Mission Impact
ishideo 2024/08/27
ssvc

human-impact

decision-tree

vulnerability

threat

triage

priority

vuls
ãƒªãƒ³ã‚¯
Vulsã¾ã¤ã‚Š#10 | ã€Œæ®‹æ¥ï¼Ÿæ¥é€±ã§OK?ã€é‡‘æ›œåˆå¾Œã®è„†å¼±æ€§å¯¾å¿œåˆ¤æ–ã«ä½¿ãˆã‚‹SSVCã®ãƒ‡ãƒ¢ | Vuls Blog
2024å¹´8æœˆ20æ—¥ã«é–‹å‚¬ã•ã‚ŒãŸã€ŒVulsç¥ã‚Š#10 | è„†å¼±æ€§ç®¡ç†ã®æœ€å‰ç·šã€œãƒªã‚¹ã‚¯è©•ä¾¡ã‹ã‚‰SSVCã€VEXã€AIã¾ã§ã€œã€ã®ã‚»ãƒƒã‚·ãƒ§ãƒ³ã€Œã€Œæ®‹æ¥ï¼Ÿ æ¥é€±ã§OK?ã€é‡‘æ›œåˆå¾Œã®è„†å¼±æ€§å¯¾å¿œåˆ¤æ–ã«ä½¿ãˆã‚‹SSVCã®ãƒ‡ãƒ¢ ã€ã®è¦ç‚¹ã‚’æ›¸ãèµ·ã“ãŸè¨˜äº‹ã§ã™ã€‚ YouTubeã‚¢ãƒ¼ã‚«ã‚¤ãƒ–ã¯ã“ã¡ã‚‰ã§ã™ã€‚ ä¼šå ´ã¸ã®è³ªå• å…ˆæ—¥IPAã®ä¸æ ¸äººæè‚²æˆãƒ—ãƒã‚°ãƒ©ãƒ å’æ¥ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã‹ã‚‰ã€ã€Œè„†å¼±æ€§å¯¾å¿œã«ãŠã‘ã‚‹ãƒªã‚¹ã‚¯è©•ä¾¡æ‰‹æ³•ã®ã¾ã¨ã‚ã€ã¨ã„ã†è³‡æ–™ãŒå…¬é–‹ã•ã‚Œã¾ã—ãŸã€‚ã“ã®è³‡æ–™ã¯æœ¬æ—¥ç´¹ä»‹ã™ã‚‹SSVCã‚„EPSS, KEVãªã©ãŒæ—¥æœ¬èªžã§ã‚ã‹ã‚Šã‚„ã™ãèª¬æ˜Žã•ã‚Œã¦ãŠã‚Šã€ã¾ãŸãƒˆãƒªã‚¢ãƒ¼ã‚¸ã«ã¤ã„ã¦ã„ãã¤ã‹ã®æ–¹æ³•ãŒè¨˜è¼‰ã•ã‚Œã¦ã„ã‚‹ã®ã§ä¸€èªã‚’ãŠã™ã™ã‚ã—ã¾ã™ãŒã€ã“ã®ä¸ã§ã“ã®å›³ã®é€šã‚Š60ç¤¾ã¸ã®ä¼æ¥ã«ã‚¢ãƒ³ã‚±ãƒ¼ãƒˆã‚’å–ã£ã¦ã„ã¾ã™ã€‚ æ„å¤–ã«ãŠã‚‚ã£ãŸã®ãŒã€CVSSã®ç’°å¢ƒè©•ä¾¡åŸºæº–ã‚’60ç¤¾ä¸15ç¤¾ã‚‚ä½¿ã£ã¦ã„ã‚‹ç‚¹ã§ã™ã€‚ç§ã¯2016å¹´ã«Vulsã‚’é–‹ç™ºã—ã¦ä»¥é™è„†å¼±æ€§ç®¡ç†ã‚’ãƒ†ãƒ¼ãƒžã«æ´»å‹•
ishideo 2024/08/27
vuls

ssvc

cvss

epss

comparison

vulnerability

threat

kev

youtube
ãƒªãƒ³ã‚¯
SSVC DeepDive | ã€Œã‚¸ãƒ§ãƒ¼ã‚·ã‚¹ãƒˆãƒ¼ãƒ¼ã‚¯ è„†å¼±æ€§ç¥ã‚Šï½žè„†å¼±æ€§ã®å…¨ä½“åƒã¨ä»˜ãåˆã„æ–¹ï½žã€ | Vuls Blog
2024å¹´7æœˆ8æ—¥ã«é–‹å‚¬ã•ã‚ŒãŸã€Œã‚¸ãƒ§ãƒ¼ã‚·ã‚¹ãƒˆãƒ¼ãƒ¼ã‚¯ è„†å¼±æ€§ç¥ã‚Šï½žè„†å¼±æ€§ã®å…¨ä½“åƒã¨ä»˜ãåˆã„æ–¹ï½žã€ã®ã‚»ãƒƒã‚·ãƒ§ãƒ³ã€ŒSSVC DeepDiveã€ã®å†…å®¹ã§ã™ã€‚ ãƒ‘ãƒƒãƒã®é©ç”¨é †åºã¯ã€CVSSã®é«˜ã„è„†å¼±æ€§ã‹ã‚‰ã€‚ã“ã‚Œã§ã¯å®Ÿéš›ã®é‹ç”¨ã¯å›žã›ã¾ã›ã‚“ã€‚SSVCã¯ã€æ”»æ’ƒè€…ç›®ç·šã‚’å–ã‚Šå…¥ã‚ŒãŸè„†å¼±æ€§è©•ä¾¡ãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ã§ã€ç±³å›½æ”¿åºœã§ã‚‚æŽ¡ç”¨ã•ã‚Œã¦ã„ã¾ã™ã€‚æœ¬ã‚»ãƒƒã‚·ãƒ§ãƒ³ã§ã¯ã€SSVCã‚’æ´»ç”¨ã™ã‚‹ã“ã¨ã§ã€ã©ã®ã‚ˆã†ã«è„†å¼±æ€§ç®¡ç†ãŒæ”¹å–„ã•ã‚Œã‚‹ã®ã‹ã‚’å¾¹åº•è§£èª¬ã—ã¾ã™ã€‚CVSSã ã‘ã§ã¯ä¸ååˆ†ãªæ–¹ã«å¿…è¦‹ã®å†…å®¹ã§ã™ã€‚ Xã§ã®ã‚¸ãƒ§ãƒ¼ã‚·ã‚¹ãªèª°ã‹ã®ã¤ã¶ã‚„ãï¼ˆæŠœç²‹ï¼‰ãƒ©ãƒ³ã‚µãƒ ã‚¦ã‚§ã‚¢ã®ãƒ‹ãƒ¥ãƒ¼ã‚¹ã§é¨’ãŒã‚Œã¦ã„ã‚‹ä¸ã€Xï¼ˆæ—§Twitterï¼‰ã«ã¦ã“ã‚“ãªç™ºè¨€ã‚’ç›®ã«ã—ã¾ã—ãŸã€‚ä»Šå›žå‚åŠ ã•ã‚Œã¦ã„ã‚‹ã‚¸ãƒ§ãƒ¼ã‚·ã‚¹ã®çš†ã•ã‚“ã‚‚ãŠå†…æƒ…ãªæ‚©ã¿ã‚’æŠ±ãˆã¦ã„ã‚‹ã¨æ€ã„ã”ç´¹ä»‹ã—ã¾ã™ã€‚ Xã§ã®ã‚¸ãƒ§ãƒ¼ã‚·ã‚¹ãªèª°ã‹ã®ã¤ã¶ã‚„ãã¾ã¨ã‚ã‚‹ã¨ã€ã“ã‚“ãªå†…å®¹ã«ãªã‚‹ã¨æ€ã„ã¾ã™ã€‚ ï¼ˆä¼šå ´ã®æƒ…ã‚·ã‚¹ã®æ–¹ã€é ·ãæ–¹å¤šæ•°ï¼‰ å…¬é–‹ã•ã‚Œã‚‹
ishideo 2024/07/22
vuls

vulnerability

ssvc

cvss

vulerability

threat

decision-makiing

priority
ãƒªãƒ³ã‚¯
CVE_Prioritizerã¨SploitScanã§è€ƒãˆã‚‹ã€KEV Catalog/EPSS/CVSS/SSVC | Vuls Blog
CVE_Prioritizerã¨SploitScanã§è€ƒãˆã‚‹ã€KEV Catalog/EPSS/CVSS/SSVC æ¦‚è¦EPSSã‚„KEV Catalogã‚’æœ‰ç”¨ã«ä½¿ã†ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆãŒæœ€è¿‘å‡ºã¦ãã¾ã—ãŸã€‚ ã“ã‚Œã‚‰ã«ã¤ã„ã¦å†…å®¹ã‚’ç¢ºèªã—ã€ã©ã®ã‚ˆã†ã«ä½¿ãˆã‚‹ã‹ã€åŒæ§˜ãªSSVCã¨ã©ã†é•ã†ã‹ã‚’è¦‹ã¦ã„ãã¾ã™ã€‚ CVE_Prioritizer https://github.com/TURROKS/CVE_Prioritizer SploitScan https://github.com/xaitax/SploitScan Exective Summary EPSS, KEVã®ãƒ‡ãƒ¼ã‚¿ç‰¹æ€§ã‚’è€ƒãˆã‚‹å¿…è¦ãŒã‚ã‚‹ EPSSã¯æ©Ÿä¼šã®ã¿ã€KEVã¯æ©Ÿä¼šã¨è„†å¼±æ€§ã‚’ç¤ºã™ å½“è©²ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã¯ä½¿ã„ã‚„ã™ãã€CVSSã®ã¿ã§åˆ¤æ–ã—ã¦ã„ã‚‹çµ„ç¹”ã¯ã€CVE_Prioritizerã‚’ã¾ãšã¯ä½¿ã£ã¦ã¿ã‚‹ã®ãŒè‰¯ã„ã‹ã‚‚ã—ã‚Œãªã„ å½“è©²ãƒ—ãƒã‚¸ã‚§ã‚¯ãƒˆã¯ ã‚·ã‚¹ãƒ†ãƒ å›º
ishideo 2024/03/01
cve_prioritizer

sploitscan

kev

vulnerability

epss

cvss

ssvc

vuls
ãƒªãƒ³ã‚¯
è„†å¼±æ€§å¯¾å¿œã«æœ‰ç”¨ãªSSVCã¨ã€é©ç”¨ã«ã¤ã„ã¦ | Vuls Blog
ã“ã‚“ã«ã¡ã¯ã€‚äº•ä¸Šã§ã™ã€‚ FutureVulsã¯ã€Œæ—¥ã€…æ›´æ–°ã•ã‚Œã‚‹è„†å¼±æ€§æƒ…å ±ã‚’è£œè¶³ã—ã€ã‚ˆã‚ŠåŠ¹æžœçš„ãªé‹ç”¨ãƒ»ç®¡ç†ã‚’ã‚µãƒãƒ¼ãƒˆã™ã‚‹ã€ã‚µãƒ¼ãƒ“ã‚¹ã§ã™ãŒã€‚ 2022/9/13ãƒªãƒªãƒ¼ã‚¹ã«ã¦é‹ç”¨éƒ¨åˆ†ã§æœ‰ç”¨ãªSSVC(Stakeholder-Specific Vulnerability Categorization)ã‚’ã‚µãƒãƒ¼ãƒˆã—ã¾ã—ãŸã€‚ æœ¬ç¨¿ã§ã¯ã€è„†å¼±æ€§å¯¾å¿œã®ç¾çŠ¶ã‹ã‚‰SSVCã®èª¬æ˜Žã€SSVCã®é©ç”¨ä¾‹ã‚’èª¬æ˜Žã—ã¾ã™ã€‚ ç›®æ¬¡ è„†å¼±æ€§å¯¾å¿œã®ç¾çŠ¶ å•é¡Œç‚¹ ã©ã†ã—ãŸã‚‰ã‚ˆã„ã®ã‹ SSVCã¨ã¯ æ¦‚è¦ ã©ã®ã‚ˆã†ãªåˆ©ç‚¹ãŒã‚ã‚‹ã®ã‹ SSVCã‚’é©ç”¨ã™ã‚‹ å¾“æ¥ã®åˆ¤æ– SSVCã§ã®åˆ¤æ– ã¾ã¨ã‚ è„†å¼±æ€§å¯¾å¿œã®ç¾çŠ¶è„†å¼±æ€§ã‚’æ¤œçŸ¥ã—ãŸå¾Œã«ã©ã®ã‚ˆã†ã«åˆ¤æ–/å¯¾å¿œã™ã‚‹ã®ã‹ã€ã¯æ‚©ã¿ã©ã“ã‚ã®å¤šã„å•é¡Œã§ã™ã€‚ ä¸€èˆ¬çš„ã«ã¯ä»¥ä¸‹ã‚’è€ƒæ…®ã—ã¦å¯¾å¿œã‚’æ¤œè¨Žã—ã¦ã„ã¾ã™ã€‚ è„†å¼±æ€§è‡ªä½“ã®å±é™ºåº¦ è‡ªã‚·ã‚¹ãƒ†ãƒ ã¸ã®å½±éŸ¿åº¦ å¯¾ç–é›£æ˜“åº¦ æœªå¯¾ç–ã§ã®ãƒªã‚¹ã‚¯ ãã®ç‚ºã€ä¸Šè¨˜ã‚’åˆ¤æ–ã™ã‚‹åŸºæº–ã‚’çµ„ç¹”ã§
ishideo 2023/09/18
vuls

ssvc

vulnerability

sbom

triage

cvss

poc

expolit
ãƒªãƒ³ã‚¯
1