Vulnerability management aggregation of AppSec & OpSec

date: 2019-07-19

When you start to move past using just one security tool for finding problems you end up with a few pdf’s/csv/xml that people likely want to begin tracking over time, and this may push you into keeping a spreadsheet (from hell) to rekey this data into, in order to comply with management demands.

Try doing anything above a few hundred MB in a spreadsheet and you’ll understand why I’m no fan of spreadsheets. Do you really want to tie up your security team with data entry/management chores? With that said and problem framed, I’ll move onto to discuss why I got to my conclusion and selected a particular product.

Back in 2014, I started looking at ways to leverage the API of various security tools to pull down data and create regular snapshots for reporting, there had been a lot of cursing along the way and some tears but in 2019 finally solved this problem with a commercial tool called Nucleus.

Now, what took me so damn long…

Simply the terminology clashed with the enumeration tools, so just trying to list out the vendors was a challenge in itself. Then trying to grade the products discovered was tough too, some tools were oriented towards helping security testers collate evidence and so on.
All the opensource tools failed to achieve that single pane (or pain) of glass that could be tagged, sliced and diced and automated into a southbound tool like Jira and Service Now with granular control. My criteria was to merge the AppSec and NetSec and artifact/code scan results together so each development team can see how well they are (not)doing with securing the assets they are responsible for.
My Goal is to shift the dissemination of problems away from the security team and to give rapid feedback to the teams that need to action the data.

You can check out my list on github and below are some screenshots I used to talk about the products features.