PaulDotCom mailing list archives
Re: Vulnerability Tracking & Management
From: Josh Little <josh () zombietango com>
Date: Fri, 11 Feb 2011 08:47:30 -0500
Our Qualys install is handled through our offsite datacenter provider for our major production systems. We tell them when to run the thing and we get a PDF back. One of my goals for the next quarter is to get a higher level of control over how that system is run and our relationship with the provider in general, at least in terms of their hosted toolset. Our SIEM (LogRhythm) may not accept scan results as it is primarily log centric. We also have a RedSeal install. That will do about a third of what I'm looking for since it can import Qualys and Nessus scan results, track them, and note when any problems have been resolved. But it can't do anything with the app, db, and manual testing that we do, nor can it report out and track assignments etc. I have a feeling I'm going to have to mock something up myself. ZT On Fri, Feb 11, 2011 at 8:19 AM, Mike Patterson <mike () snowcrash ca> wrote:
Interfaces with other service and tracking technologies (I assume you mean things like Remedy, Request Tracker, etc) is generally through SMTP, at least for the commercial VA tools. Some will do SNMP traps, most have XML type interfaces, so if you want to do some coding, you can probably make it work. If you already have the SIEM though, probably the easiest way to accomplish ticketing type stuff is to push things to your SIEM and have whatever mechanism you have in place there (you have something in place there, right?) handle the pushing out to other groups. You already have Qualys too. Are its reporting functions insufficient, or are you using it in a more limited fashion? On 11-02-10 2:44 PM, Josh Little wrote:We already have a large SIEM implementation in place, so duplicating that would be a non-starter. I'll keep enVision in the hat for the next timethata tech refresh comes into play. If it helps, these are the technologiesweare trying to consolidate reporting/tracking for: Nessus Qualys IBM Appscan DBProtect Whitehat Sentinal Manual Testing Thanks, ZT On Thu, Feb 10, 2011 at 2:22 PM, Butturini, Russell < Russell.Butturini () healthways com> wrote:This is also something that RSA envision does (It can even conduct the assessments for you), but it ain’t cheap J *From:* pauldotcom-bounces () mail pauldotcom com [mailto: pauldotcom-bounces () mail pauldotcom com] *On Behalf Of *Chesmore,Michael[DAS] *Sent:* Thursday, February 10, 2011 1:19 PM *To:* PaulDotCom Security Weekly Mailing List *Subject:* Re: [Pauldotcom] Vulnerability Tracking & Management I think you are talking about a hybrid SIEM type system. We looked at OSSIM (Open Source Security Information Manager)a year orsoago. I had pretty good things to say about it on one hand and some shortfalls on the other. It is 100% open source, it uses all thestandard“tools” that we have used in security for years so it takes a defaultNMAPscan or Nessus scan right into the DB. It has an inventory piece and a ticketing piece. The challenge is that they want it to be an“all-in-one”suite of software. So out of the box it works great, if you installtheirsensors, and their mgmt server it really is slick. For a SMB I wouldhighlyrecommend it. Their support is ok through the forums. In my opinion itisnot a large enterprise solution unless you are ready to write some“glue”scripting to take what you already have in place and format it correctlytogo into OSSIM. We might still go down this route. If you have the scripting skills (and the time) it could be a really viable alternative. Mike *From:* pauldotcom-bounces () mail pauldotcom com [mailto: pauldotcom-bounces () mail pauldotcom com] *On Behalf Of *Josh Little *Sent:* Thursday, February 10, 2011 1:03 PM *To:* pauldotcom () mail pauldotcom com *Subject:* [Pauldotcom] Vulnerability Tracking & Management Hey all. I'm looking for a better way to manage items discovered through our vulnerability assessments, application reviews, pentests, etc. in a centralized manner rather than spreadsheets, manual reports, etc. I'dlikesuch a system to consume exported reports from various differentcommercialand open-source scanning technologies as well as manual entries, trackthestate of these, and allow me to export data that would go into ourmetricsinitiative. This would need to work with application, database, andsystemvulnerability reports. Not concerned whether it is open source or commercial. As a bonus it would be great if it could interface with other serviceandissue tracking technologies so that I can push tasks to the appropriate teams and have it appear in their native operating tool. Anybody know of such a beast? ZT******************************************************************************This email contains confidential and proprietary information and is notto be used or disclosed to anyone other than the named recipient of this email,and is to be used only for the intended purpose of this communication.******************************************************************************_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Vulnerability Tracking & Management Josh Little (Feb 10)
- Re: Vulnerability Tracking & Management Chesmore, Michael [DAS] (Feb 10)
- Re: Vulnerability Tracking & Management Butturini, Russell (Feb 10)
- Re: Vulnerability Tracking & Management Josh Little (Feb 10)
- Re: Vulnerability Tracking & Management Mike Patterson (Feb 11)
- Re: Vulnerability Tracking & Management Josh Little (Feb 11)
- Re: Vulnerability Tracking & Management Butturini, Russell (Feb 10)
- Re: Vulnerability Tracking & Management Chesmore, Michael [DAS] (Feb 10)
- <Possible follow-ups>
- Re: Vulnerability Tracking & Management Kevin Shaw (Feb 10)
- Re: Vulnerability Tracking & Management Zate (Feb 10)
- Re: Vulnerability Tracking & Management Ben Jackson (Feb 11)
- Re: Vulnerability Tracking & Management Zate (Feb 10)