I root for vuln scanners to succeed (no pun intended). Back in the day scanners helped automate a laborious task and they've continued to improve their products. However their fight in the marketplace is far from over. While vuln scanners own the vulnerability assessment market, for some reason they never quite finished delivering on vulnerability management i.e. ensure unacceptable vulns are remediated per policy.
Today we're seeing GRC and other vendors consume vuln scans like they're commodity pork bellies. They add on some workflow, connectors, reporting, and presto, you have the technology capable of supporting a great assessment service (almost as good as bacon).
This post has two purposes. One is to wax all nostalgic on how much I love vuln scanners. The other is to help explain why Third Defense just released a reporting extension on top of them. No, we are not providing all the workflow like the GRC crowd. We're simply responding to a customer request who asked if we could help them out. Since I've been asking vuln scan vendors to produce this report for years, I said YES.
The report is simply to show vulnerability age compared to policy. It's easy to age a vulnerability on specific hosts across scans. It's also incredibly powerful for a security team to report on overdue vulns per asset group. The goal is to increase accountability and drive risk acceptance|mitigation decisions across business owners. Odds are you already have pre-negotiated mitigation time frames per sev level with the Ops group. Some folks include these time frames in policy. Others yet call them Service Level Agreements.
Either way, you now have an easy way to show vuln age. Here are the steps:
Paste your existing asset group names, owners, and IP ranges into the Vuln Tracker app
Assign a remediation date per group and sev level
The result is a simple histogram that can show:
Here's a screen snip:
I fully expect vuln scan vendors to add in this report someday. It would be cool if we helped hasten the process. Until then, I encourage you to try out this report. The increased visibility into remediation performance works wonders. In my experience, maturing the vuln mngt process is the easiest across all of security. It's rewarding to sit down with ops every month and translate vuln definitions into risk statements for your business. Take the next step and verify the appropriate remediation occurs.
As always, we welcome your feedback, even if it's to remind us that we're crazy to add a feature like this :)
Quick note: out of the gate we only support nessus. Let us know if you'd like to see more.