Toolchain 2.0

Background

In 2018 me and a colleague gave two talks titled, "How not to suck at Vulnerability Mangement". They were good talks (imho) and can be viewed in their entirety at the location below. As a part of those talks we had an appendix of tools this appendix was published to an older verison of my blog and is now (2023) been somewhat updated while attempting to be honest to the source information.

"How not to Suck at Vulnerability Management [at Scale]." Defcon 26 (2018), Blue Team Village. Los Vegas, NV.
- Discusses the theory and technical strategy of how to run a Vuln Management program.
- Slides
"How NOT to suck at Vulnerability Management." Shellcon (2018). San Pedro, CA.
- Discussing the theory and tech strategy for Vuln Management
- Demoed Man o’ War

Toolchain 2.0 (circa 2018)

Security Tools Awesome List
External Vuln Intelligence
- VFeed
- VulnDB
- Vulndb
- Vulners
- SNYK
Libraries and Depndencies
- Github Dependencies (Provided by Github)
- SNYK
OSINT (Open Source Intelligene)
- Shodan
- Censys
- theHarvester
- Recon-NG
- Inquisitor
- Omnibus
All-In-One Platforms
Subdomain Monitoring
- Knock
- SubFinder
- Amass
- MassDNS
- SecurityTrails
Code Secrets Scanning
- Truffle Hog
- Bucket Stream
Cloud Scanning
Bug Bounty Toolkit
Internal Intelligence
- WSUS (Windows)
- HubbleStack
- Katello and RH Satellite
- OSQuery
- Lynis
- YASAT
- Zeus
CVSS3 Tools
- Calculator
- CVSS3 Scoring Rubric (With Excellent Flowcharts to) help Score
- Python cvss Module
"Man o' War."

Bibliography

Piper, Scott. "Beyond S3: Exposed Resources on AWS." Duo. May 15, 2018.
"The Heartbleed Bug." Synopsys. 2017.
"Eternal Blue." Wikipedia.
"CVE-2018-14359." NIST. Sept 12, 2018.
"Network Reconnaissance in IPv6 Networks." IETF. March 2016
"USN-3765-1: curl vulnerability." Ubuntu Security Notices. Sept 17, 2018.
Chhetri, Himanshu. "ChatOps-Workflows Beyond Integrations." ADDTEQ Blog. Aug 24, 2017.
Schwartz, Baron. "Building A Time-Series Database on MySQL." Scale 13x. Feb 20, 2015. (Video)