In the movie "The American President", the statement is made that America has advanced citizenship and that "you gotta want it bad, because it will put up a fight". The same can be said for vulnerability management. It is never a completed exercise or a process where the status quo can be maintained quite easily, especially in a distributed enterprise environment. The reason: change.
SensePost recognised early on that just having an accurate vulnerability scanner isn't good enough to ensure continuous and less arduous vulnerability management. There needs to be workflow and efficiency build into such a scanner. Hence our HackRack and now lately, our BroadView managed vulnerability scanning offerings.
But, no matter how good a scanner is or how well the workflow has been designed, there is still a very large amount of manual analysis required.
In BroadView, when viewing scan results, by default the Medium, High and Critical findings are shown. Fab and groovy. But, should one just stop there? The Low and Info findings can be as interesting as the rest. For example, a client of ours that usually has a handle on things, had an informational finding about virtual directories being guessable on one of their web servers: the directories "/testing" and "/test" were identified. This "/testing" directory turned out to contain the beta version of a new e-commerce web application and even though reasonable security was in place, a blind SQL injection test showed us they were developing on live data. Just like that, an informational finding became a critical finding. If we had been focused on CVSS scores and risk impact only, this finding would have been flying under the radar.
What we saw on BroadView:
Vulnerability management is not easy. It will put up a fight; be that in the form of stubborn sysadmins not closing the holes or developers taking chances with release candidates and beta products. The vulnerability manager has to be on his/her toes and perform constant scanning and prodding. Vulnerability scanner results should never be taken at face value, and the associations between findings should be understood.
It is wise to keep in mind that vulnerability management is cyclic and repetitive. And as Dr Ruth always used to say: "Once, is not enough". You cannot scan once, find nothing, and sit back and relax. You may just miss your /testing directory.
For our BroadView customers we have added a couple of new blizzards to enhance the process to monitor results.
The Missing Microsoft Patches blizzard combines all the possible patches that could be missing and this is especially necessary where Internet facing targets are scanned. Murphy's Law usually applies where patches and Internet facing devices are concerned - that one patch that can result in pwnage, is normally the one missing.
The output from the Missing Microsoft Patches blizzard would typically consist of an IP:Value output
The jBoss Console blizzard was created after we realised it is becoming more and more prevalent for consoles to be found open during assessments and vulnerability scanning.
Having access to world class pen-testers really does give the vulnerability management team a good insight into which vulnerabilities can actually lead to system compromise.