Hello World

Introducing VulnIQ

Posted by Serkan Özkan, VulnIQ Founder. 

Back in 2007, I was working as a security consultant. Coming from a software development background I was surprised by the lack of tooling in the security space. Especially accessing information was unnecessarily hard and time consuming. I was not happy with how things were, I wanted to do something about it but at that time I was very busy playing World of Warcraft in my spare times, so it had to wait until 2010 (yes I played WoW for a few years and I had thousands of hours of play time, I have no regrets, it was a lot of fun).

In 2010, I decided to fix it for everyone and first created CVEdetails.com which was pretty good but I was not completely satisfied with the amount of detail CVEs provided. OVAL definitions contained far more detailed information but OVAL was designed for machines, it was not human readable. So I created itsecdb.com which provided OVAL definitions in a human readable format. It was, in my opinion, far more useful than CVEs but it never got the attention I anticipated.
(P.S CVEdetails.com and itsecdb.com are owned by a third party since 2016)

I was still not satisfied with the difficulties associated with accessing information. And I came up with the VulnIQ idea back in 2012. It would collect all sorts of data and create a single source of information. I actually started development in 2012 but then again life intervened, plans changed etc and I had to postpone it, for a really long time.

Finally in 2018 I decided to start my own company to work on the VulnIQ idea. Obviously, my original work from 2012 were a bit stale, so to speak, therefore I started development from scratch but the basic ideas are still the same.

Basic Principles

• Information is the key to success. You cannot succeed without information. Lack of information will cause you to fail, inevitably.
• Data that is sitting in a silo, disconnected from the outside world is useless. 
• The solution should work for everyone, regardless of team, company, budget sizes; from individuals to largest enterprises. You should not need to spend millions for some "big data, blockchain, AI, Machine Learning, pokemon..." nonsense.  

The Problem

The dependency on manual processes is the main problem. You need to follow people on twitter, subscribe to rss feeds, follow vendor advisories, run Google searches etc.  

For example, let's assume that you are using 20 open source projects hosted on github, gitlab, bitbucket etc, how many of them can you consistently track? How do you know when someone pushed a commit that fixed a vulnerability? 

Even if you have a tracking solution for some, you have to support multiple sources, formats which easily turns into a maintenance burden and cause you to give up. 

The Solution

A software solution(it is NOT a data feed) that will collect, process, merge data from various sources and feed you with usable information. 

• It should support as many data sources and formats as possible. 
• It must be automated.
• All data must be accessible through APIs. 

Something like this : 

All screenshots in this post are taken from a development environment, so the data and statistics may not be representative of actual data and statistics.

Usual CVE data, with some enhancements. Needless to say all data is cross linked and browsable : 

References for CVEs are not limited to what's provided by NVD.

Or advisories from your vendors :

Or relevant web pages :

Note the tags attached to everything, we will come back to them later.

And all data, literally everything available in the application, is available through REST APIs (the web UI is also built using the APIs) :

For example, you can search/get commits from the CURL github repository (or any git repository, you can configure data sources yourself):

You might be thinking "why would you need an API that returns the git commit that fixes a vulnerability"? And you already have separate tools for all of these, why would you need yet another tool to do the same things? You have Google for searching, RSS feed apps, gmail, third party data feeds, twitter app etc. Why would you even want to replace them with something else?

Consider a smart phone, that allows you to text, talk, watch videos, listen to the radio, find your way etc. Before smart phones, there were separate products which were all a part of our lives, but now all you need is a smart phone.
Would you rather have a Nokia 3310 phone, a tv, a desktop computer, a radio, a flashlight, a navigation device etc or your smart phone?

For more information see https://www.vulniq.com.