Welcome to VMconf!

An international ongoing event dedicated to Vulnerability Management. The initial plan to host the one-day online event has been revised. Read the details here.

  • From the community (in a very broad sense) and for the community
  • For interesting content and building horizontal connections between people, not for marketing of the vendors

Responsive image


1. Blindspots in the Knowledge Bases of Vulnerability Scanners
by Alexander Leonov

Potential customers rarely worry about the completeness of the Knowledge Base when choosing a Vulnerability Scanner. They usually trust the VM vendors' claims of the "largest vulnerability base" and the total number of detection plugins. But in fact the completeness is very important. All high-level vulnerability prioritization features are meaningless unless the vulnerability has been reliably detected. In this presentation, I will show the examples of blindspots in the knowledge bases of vulnerability management products, try to describe the causes and what we (as customers and the community) can do about it.

Full report

Vulnerability Knowledge Bases Vulnerability Detection

2. Malicious Open Source: the cost of using someone else’s code
by Alexander Leonov

We must start with the fact that this year is fundamentally different. We now live in The New Reality of Information Security (TNRoIS). It has become quite clear that Open Source tools and code can harm your organization, because project maintainers can easily inject malicious features into their projects. Now they are actually doing it! Hypothetical threats have become quite real! One of the most interesting examples of this year is the malicious functionality in popular nodejs module node-ipc. On March 7, 2022, node-ipc maintainer Brandon Nozaki Miller (RIAEvangelist) embedded a package with malicious code into node-ipc. Malicious code has a 25% chance of replacing the contents of all files on systems (with write permissions) with the symbol “❤️”. It worked only on hosts with Russian and Belarusian IP addresses.

Full report

Malware Detection Software Asset Management Vendor Reputation Management

3. Scanvus - my open source Vulnerability Scanner for Linux hosts and Docker images
by Alexander Leonov

Scanvus (Simple Credentialed Authenticated Network VUlnerability Scanner) is a vulnerability scanner for Linux. Currently for Ubuntu, Debian, CentOS, RedHat, Oracle Linux and Alpine distributions. But in general for any Linux distribution supported by the Vulners Linux API. The purpose of this utility is to get a list of packages and Linux distribution version from some source, make a request to an external vulnerabililty detection API (only Vulners Linux API is currently supported), and show the vulnerability report.

Full report

Vulnerability Detection

Dates

  • Event/CFP Start: 12.01.2022
  • Event/CFP End: 12.12.2022

Contacts

Main concept

  • An “ongoing event” that will last until the end of the 2022
  • Not limited by region
  • English is a working language

Call For Papers/Videos

CFP will be active from 12.01.2022 to 12.12.2022. Submit a YouTube video of your VM-related talk to cfp@vmconf.pw. It will be added to the VMconf site and other resources. CFP Submissions deemed to be a sales pitch of products/services, or marketing campaigns, will not be accepted. The talks and slides should be in English.

Topics of Interest

  • Vulnerability Knowledge Bases
  • Vulnerability Detection
  • Vulnerability Prioritization
  • Vulnerability Remediation and Patching
  • Vulnerability Management Integrations
  • Vulnerability Management Dashboards for remediation tracking
  • Vulnerability Management Process Standards and Best Practices
  • Vulnerability Management for unusual IT environments
  • Security Hardening and Compliance Management
  • Malware Detection
  • Software Inventory
  • Software Composition Analysis
  • Software Asset Management
  • Vendor Reputation Management