Lupasafe (Skopos Security Labs B.V.)

Introduction

The platform is designed to identify software vulnerabilities across various operating systems, including Windows, macOS, and Linux. It achieves this by matching installed applications and their versions with the latest data from trusted sources like the National Vulnerability Database (NVD), Cybersecurity and Infrastructure Security Agency (CISA), and Microsoft. This article explains how Lupasafe detects vulnerabilities and the processes it employs to ensure comprehensive risk assessment. It also details why risks in Lupasafe might be different compared to for example Datto, CyberCNS and Intune.

How Lupasafe Detects Vulnerabilities

Data Collection

Lupasafe collects data through endpoints that scan the entire list of installed applications on each device. This data collection occurs across different platforms:

• Windows
• macOS
• Linux

In addition to scanning endpoints, Lupasafe also performs port scanning on internal networks and internet-connected services. This dual approach ensures that both local and network-level vulnerabilities are identified and assessed.

Matching with Vulnerability Databases

Once the application data is collected, Lupasafe compares it with up-to-date vulnerability information from:

• NVD (National Vulnerability Database): Provides detailed reports on known vulnerabilities.
• CISA (Cybersecurity and Infrastructure Security Agency): Offers guidance on managing cyber risks.
• Microsoft Security Bulletins: Supplies insights into vulnerabilities specific to Microsoft products.

By matching installed applications with these databases, Lupasafe identifies vulnerabilities that may affect the security of your systems. Findings are reported both on CVSS basescore version 3.0 and EPSS.

Lupasafe reports different than tool X or "Special considerations for dependencies"

Lupasafe does not currently detect or report vulnerabilities related to application dependencies, such as DLLs or JAR files. These dependencies, often essential components like logging libraries within Java applications, can contain vulnerabilities that pose risks under certain conditions. However, the actual risk depends on how the dependency is used within the specific application and environment.

For instance, a vulnerability in a JAR file may only be exploitable if the application is network-accessible and installed on a server, which may not apply to all scenarios. In desktop applications, the risk might be minimal or non-existent.

Lupasafe is designed to help you focus on relevant risks by not overwhelming you with alerts for vulnerabilities that are unlikely to impact your specific setup. If a software vendor issues a CVE related to a vulnerable dependency within their product, Lupasafe will match that CVE to the installed product, enabling you to assess the risk in the context of your environment. Support for direct detection of such vulnerabilities in dependencies may be added in future updates.