Vulnerability management aggregation of AppSec & OpSec

When you start to move past using just one security tool for finding problems you end up with a few pdf's/csv/xml that people likely want to begin tracking over time, and this may push you into keeping a spreadsheet (from hell) to rekey this data into, in order to comply with management demands.

Try doing anything above a few hundred MB in a spreadsheet and you'll understand why I'm no fan of spreadsheets. Do you really want to tie up your security team with data entry/management chores? With that said and problem framed, I'll move onto to discuss why I got to my conclusion and selected a particular product.

Back in 2014, I started looking at ways to leverage the API of various security tools to pull down data and create regular snapshots for reporting, there had been a lot of cursing along the way and some tears but in 2019 finally solved this problem with a commercial tool called Nucleus.

Now, what took me so damn long...

Simply the terminology clashed with the enumeration tools, so just trying to list out the vendors was a challenge in itself. Then trying to grade the products discovered was tough too, some tools were oriented towards helping security testers collate evidence and so on.
All the opensource tools failed to achieve that single pane (or pain) of glass that could be tagged, sliced and diced and automated into a southbound tool like Jira and Service Now with granular control. My criteria was to merge the AppSec and NetSec and artifact/code scan results together so each development team can see how well they are (not)doing with securing the assets they are responsible for.
My Goal is to shift the dissemination of problems away from the security team and to give rapid feedback to the teams that need to action the data.

You can check out my list on github and below are some screenshots I used to talk about the products features.

Global Dashboard
Global Dashboard 

Global Dashboard 

Project Dashboard

Project Dashboard

Project Trends

Project Trends

Project Analysis

Project Analysis

Project Analysis

Jira Issue

Jira Issue

Project Analysis Upload Evidence

Project Analysis change status

Project Analysis mitigated

Project Analysis scan history

Project Analysis scan compare

Project Analysis scan compare

Project notifications

Project notifications

Notification rule

Notification rule

Import scans from file

Import scans Connector(api)

Import scans Connector(api)

Import Connectors

External issues logged

Comments

Popular Posts