Open Letter to Vulnerability Scanner Companies

Dear @NeXpose, @Qualys, @Nessus and the rest of you…

As listed here: Vulnerability Scanning Tools

(I hope some of you are already doing this and I just haven’t seen your tools yet)

As Penetration Testers / Red Teamers our deliverables are, at worst, a long winded list of vulnerabilities or print out from one of your tools, at best, they are a narrative that will assist anyone reading it on understanding the impact of what was found and how.

These vulnerabilities can range from “YOU ALLOW OPENSSL 1.0!! OMG” to “There is an implementation-specific 0day vulnerability in your Widgets Inc. application”. It takes us a very long time to write these things up and they are usually in a PDF or Word Doc format. Neither of which are easy to parse, automate or in all honesty do anything with at all. Some of the better Pentest groups / companies have web apps where customers can login to see their vulnerabilities or Excel documents with findings. This is a painful process.

How you can help and why you care:

All of you have gone to being web accessible, if you were to create an interface for “Pentesters” or “Security Auditors” or “Red Teamers” (call it what you will), an account level that would allow us to login and directly input our “findings” into a company’s ALREADY CONFIGURED vulnerability management solution (YOU), you would make our lives easier, as well as your customers.

The things that would be needed in this interface:

• Custom vulnerability creation with ability to fill out fields with respect to references, suggested remediation, suspected impact level, screen shots, and attack detection capabilities (the list goes on)
• No access to other scanner results, we’re pentesters if we can cheat we will ;-) (but make it optional to turn on)
• Last (year|month|century)’s “pentest” findings. These can be used as “ya we already know about those and are fixing them” or “please make sure they were all fixed”
• During input use AJAX or whatever funky tech you use to auto-suggest vulnerability IDs or things that you already have in the database. It would save our typing and make it much easier to track for your customers.
• Make it have a timed access period with an auto-password change. Since a company would be giving a tester access to the system they scan from. The “cheat” factor could be curtailed here.
• If you are a non-hosted product, make the interface something I don’t have to punch holes in my firewall to make happen (unless I want to).
• Ability to input other vendor vulnerability scanning or pentesting (Impact/MSF Pro/CANVAS) exports.

Benefits to pentesters:

• The report out would be more of a highlights reel + executive summary versus a list of vulnerabilities
• Inputing findings during the test with a screenshot upload and specific fields is much easier than trying to keep track of findings then writing long reports that 80% of your time is spent of word processor formatting problems
• If a finding is a known quantity, using the information already apart of the vulnerability scanner, instead of having to have a collection of 300+ template findings or having to write new ones

Benefits to the customer:

• The ability to easily come back 2,3,6 months later and re-check any findings/vulnerabilities by clicking a button if the finding was related to a vulnerability ID
• No need to convert / translate pentester speak into a finding.
• Easy tracking from reporting to fix
• Easy scaling. Pentester reports Default Creds on Tomcat server with vuln ID 999, scanner automagically says this vuln is also on these other 40 servers.

I’m sure there are a bunch of other things that can make an interface like this WIN-WIN-WIN that I can’t think of right now.

Making money on the idea:

1. Companies could then start requesting “NeXpose Certified Pentesters” or “Nessus Certified” pentest company. Which would involve your company training those testers to use your interface.
2. You could sell deploy-able “appliances” so that the testers can interface with the internal asset without having access inside the firewall. (Basically internal scanner pulls down data of “findings” from Internet accessible “appliance” that gets destroyed (un-deployed) at the end of the test.

All of this would result in a more unified way for testers to report findings, make it easier for the people who consume those findings to act on them (make tickets, deploy and track the remediation efforts). As well as make you a few dollars along the way.

Thanks for you time,
mubix

Update: Just to clarify a few things discussed on twitter already:

1. The certification isn’t that a tester is an uber-hacker, it’s basically for a company to say “You know how to user our findings/vuln management tool without breaking it”. Think of it less like a CISSP/OSCP and more like a check box and a small give on the “integrity of uber pentesters” to get a greater good done.
2. This suggestion isn’t a different way to export scanner findings. Its a way for testers to input their findings in an easy to manage format that the company’s employees already know how to deal with.
3. This is meant to be a small addition to the existing infrastructure of an organization, not something another piece of software that both the company employees and testers have to learn as well and support on their infrastructure. Minimal impact to current functionality and use is key.