Hello everyone! This episode will be about the AM Live Vulnerability Management online conference. I participated in it on May 17th. The event lasted 2 hours. Repeating everything that has been said is difficult and makes little sense. Those who want can watch the full video or read the article about the event (both in Russian). Here I would like to share my impressions, compare this event with last year's and express my position.

Watch the video version of this episode on my YouTube channel.

Read the full text of this episode with all links on avleonov.com blog.

Hello everyone! This episode will be about Microsoft Patch Tuesday for May 2022. Sorry for the delay, this month has been quite intense. As usual, I’m using my Vulristics project and going through not only the vulnerabilities that were presented on May 10th, but all the MS vulnerabilities presented by Microsoft since the previous Patch Tuesday, April 12th.

Watch the video version of this episode on my YouTube channel.

Read the full text of this episode with all links on avleonov.com blog.

Hello everyone! In this episode, I want to talk about the latest updates to my open source vulnerability prioritization project Vulristics.

Watch the video version of this episode on my YouTube channel.

Read the full text of this episode with all links on avleonov.com blog.

Hello everyone! This video was recorded for the VMconf 22 Vulnerability Management conference, vmconf.pw. I will be talking about malicious open source and the cost of using someone else's code. We must start with the fact that this year is fundamentally different. We now live in The New Reality of Information Security (TNRoIS). It has become quite clear that Open Source tools and code can harm your organization, because project maintainers can easily inject malicious features into their projects. Now they are actually doing it! Hypothetical threats have become quite real!

Watch the video version of this episode on my YouTube channel.

Read the full text of this episode with all links on avleonov.com blog.

Hello everyone! This episode will be about Microsoft Patch Tuesday for April 2022 and new improvements in my Vulristics project. I decided to add more comment sources. Because it's not just Tenable, Qualys, Rapid7 and ZDI make Microsoft Patch Tuesday reviews, but also other security companies and bloggers.

Watch the video version of this episode on my YouTube channel.

Read the full text of this episode with all links on avleonov.com blog.

Hello everyone! After a two-year break, I took part in Moscow CISO Forum 2022 with a small talk "Malicious open source: the cost of using someone else's code". CISO Forum is the first major Russian conference since the beginning of The New Reality of Information Security (TNRoIS). My presentation was just on this topic. How malicious commits in open source projects change development and operations processes. I will make a separate video about this. In this episode, I would like to tell you a little about the conference itself.

Watch the video version of this episode on my YouTube channel.

Read the full text of this episode with all links on avleonov.com blog.

Hello everyone! In this episode, let’s take a look at the latest vulnerabilities in Gitlab. On March 31, the Critical Security Release for GitLab Community Edition (CE) and Enterprise Edition (EE) was released. GitLab recommends that all installations running a version affected by the issues described in the bulletin are upgraded to the latest version as soon as possible.

Watch the video version of this episode on my YouTube channel.

Read the full text of this episode with all links on avleonov.com blog.

Hello everyone! This episode will be about last week's high-profile vulnerabilities in Spring. Let's figure out what happened. Of course, it's amazing how fragmented the software development world has become. Now there are so many technologies, programming languages, libraries and frameworks! It becomes very difficult to keep them all in sight. Especially if it's not the stack you use every day. Entropy keeps growing every year. Programmers are relying more and more on off-the-shelf libraries and frameworks, even where it may not be fully justified. And vulnerabilities in these off-the-shelf components lead to huge problems. So it was in the case of a very critical Log4Shell vulnerability, so it may be in the case of Spring vulnerabilities.

Watch the video version of this episode on my YouTube channel.

Read the full text of this episode with all links on avleonov.com blog.

Hello everyone! In this episode, I would like to talk about Github and how to remove sensitive information that was accidentally uploaded there. This is a fairly common problem. When publishing the project code on Github, developers forget to remove credentials: logins, passwords, tokens. What to do if this becomes known? Well, of course, these credentials must be urgently changed. What was publicly available on the Internet cannot be completely removed. This data is indexed and copied by some systems. But wiping it from github.com is real. Why is it not enough to just delete the file in the Github repository? The problem is that the history of changes for the file will remain and everything will be visible there. Surprisingly, there is still no tool in the Github web interface to remove the history for a file. You have to use third-party utilities, one of them is git-filter-repo.

Watch the video version of this episode on my YouTube channel.

Read the full text of this episode with all links on avleonov.com blog.

Hello everyone! I am glad to greet you from the most sanctioned country in the world. Despite all the difficulties, we carry on. I even have some time to release new episodes. This time it will be about Microsoft Patch Tuesday for March 2022. I do the analysis as usual with my open source tool Vulristics. You can still download it on github. I hope that github won’t block Russian repositories and accounts, but for now it looks possible. Most likely, I will just start hosting the sources of my projects on avleonov.com in this case. Or on another domain, if it gets even tougher. Stay tuned.

Watch the video version of this episode on my YouTube channel.

Read the full text of this episode with all links on avleonov.com blog.