security of velociraptor itself

[Gert Koopman]

Hi,

I work in DFIR and use velociraptor as one of the tools. Sometimes I get questions about the security of velociraptor itself and reluctance in getting approval for installation (deploying agents and questions about the security of the management console). I have full confidence in the tool myself but the question I have is how can I convince others about the security features? Is there a third party audit or certification done I can refer to and or links to other documentation to give information that gives assurance? 

Thanks,

Gert

[Mike Cohen]

Hi Gert,

   Velociraptor is an open source project so anyone can take a look at the source code and review it for security purposes. Many users in the past have commissioned external code reviews when considering deployments and to satisfy their own compliance requirements. We are always grateful for users that feed back some of these findings so we can improve Velociraptor and sometimes security vulnerabilities are discovered in which case we will issue a CVE and a security patch.

We keep a page of current CVEs here https://docs.velociraptor.app/announcements/2023-cves/

We encourage anyone who discovers a vulnerability in Velociraptor to share their findings with us so we may remedy the situation as soon as possible. 

We also encourage people to subscribe to our mailing list and discord to be notified on any current CVEs.

Thanks

Mike

Mike Cohen  Digital Paleontologist,  Velocidex Enterprises E mi...@velocidex.com

--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/CABdowOi%3DWLdxPAF%3DvLuCdCi8B5MB5juf6DedxQEvO67FpJROuw%40mail.gmail.com.

[Gert Koopman]

Thanks Mike,

Yes the open source project aspect is als an argument I use myself and the CVE info. Still some organisations ask for more. Any public compliance statements, external review reports that you can share? :-)

Thanks

Regards, Gert. 

[Mike Cohen]

I know for sure that some of these cves came out of security review exercises that our larger users commissioned but we don't have their final reports.

Let me check if I can share the results from the security review that rapid 7 commissioned. It was with an external provider so I have to check if we are allowed to share it.

Thanks

Mike

[Mike Cohen]

Hi Gert

Just circling back to this one, I was told that you can contact our risk team directly for them to share the result of the pen test they did. Their email is is-gov...@rapid7.com

Maybe also cc sup...@velocidex.com for visibility 

Thanks

Mike