Lucene search

K
wallarmlabWlrmblogWALLARMLAB:6D3FED0879553B4C47AD26ED1DEB5AEB
HistoryOct 15, 2021 - 11:13 p.m.

Wallarm starts to highlight CVE to address OWASP Top-10 A6 Vulnerable and Outdated Components

2021-10-1523:13:35
wlrmblog
lab.wallarm.com
35

EPSS

0.975

Percentile

100.0%

Attacks against known vulnerabilities are one of the most common security risks. Have you seen an updated OWASP Top-10? A risk that used to be A09 Using Components with Known Vulnerabilities is now titledA06:2021-Vulnerable and Outdated Components. This category moved up to #06 from #9 in 2017. We highlighted this in our OWASP Top 10 2021 proposal that we published earlier this year.

We all know: _patch management is hard. _For many reasons: backward compatibility, code refactoring overheads, testing, legacy code. Patches and updates are just hard to apply on time. A kind of challenge where WAFs and API Security Platform products can be a perfect solution with their attack detection capabilities, virtual patches, and proactive vulnerability detection capabilities.

Known attacks vs. unknown attacks

Wallarm introduces the new feature to highlight known attacks:

  1. Attacks against known vulnerabilities and CVEs that are associated with them.
  2. Typical payloads and attack vectors that our team already saw in the wild.

By using new filters, you can filter out all the known attacks for your analysis that drastically decreases the number of events for analysis. You can exclude events that are more likely to be mass scanning and random testing and instead focus on some unique events and unusual attacks. It’s also a great way to identify any potential false positives as it’s highly unlikely that the output for the known attacks would have any of them. Just use this attack query to exclude all the typical/known attacks and get only unusual events:

  • attacks today !known

For example, one of our customers had ~1K attacks for the last 7 days – but only 12 events that were not relying on the typical tooling/CVEs/scanning. A huge difference in the amount of data to analyze.

Or another use case. Suppose you learn about some new CVE that is relevant to your tech stack. In that case, you can also instantly run a search query and check if there have been any exploitation attempts against your applications.

New feature is already deployed for the whole customer base. No updates and additional configuration are required.

See it in action

These are some examples of usage.

Chose between searching of all events, known or unknown attacks

  • All attacks - see all the results
  • Known attacks (CVE) - attacks that are known to target CVEs or has typical payloads
  • Other attacks - not known attacks to keep 0days and potentially false positives
    screenshot attack in october

Search attacks by CVE

You can search for the attacks that use some particular CVE:

  • attacks today known CVE-2021-41773

Or if you like, find all the events that are related to any known CVE by using known cve keywords:

  • attacks today known cve
    screenshot of the wallarm platform attacks Attack details now includes CVE tags on the left side

New CVEs

The Wallarm team has added more than 1500 recent CVEs to the list and keeps updating the database every day. One of the objectives is that the team has to analyze all the new CVEs and introduce filters as soon as the public data on the CVE is published. Wallarm team also enumerates vulnerabilities backward by analysis of real attacks data to add filters for more known attacks and payloads seen in the wild.

The post Wallarm starts to highlight CVE to address OWASP Top-10 A6 Vulnerable and Outdated Components appeared first on Wallarm.