6 minute read

Open Letter to Vulnerability Scanner Companies

Dear @NeXpose, @Qualys, @Nessus and the rest of you…

As listed here: Vulnerability Scanning Tools

(I hope some of you are already doing this and I just haven’t seen your tools yet)

As Penetration Testers / Red Teamers our deliverables are, at worst, a long winded list of vulnerabilities or print out from one of your tools, at best, they are a narrative that will assist anyone reading it on understanding the impact of what was found and how.

These vulnerabilities can range from “YOU ALLOW OPENSSL 1.0!! OMG” to “There is an implementation-specific 0day vulnerability in your Widgets Inc. application”. It takes us a very long time to write these things up and they are usually in a PDF or Word Doc format. Neither of which are easy to parse, automate or in all honesty do anything with at all. Some of the better Pentest groups / companies have web apps where customers can login to see their vulnerabilities or Excel documents with findings. This is a painful process.

How you can help and why you care:

All of you have gone to being web accessible, if you were to create an interface for “Pentesters” or “Security Auditors” or “Red Teamers” (call it what you will), an account level that would allow us to login and directly input our “findings” into a company’s ALREADY CONFIGURED vulnerability management solution (YOU), you would make our lives easier, as well as your customers.

The things that would be needed in this interface:

Benefits to pentesters:

Benefits to the customer:

I’m sure there are a bunch of other things that can make an interface like this WIN-WIN-WIN that I can’t think of right now.

Making money on the idea:

  1. Companies could then start requesting “NeXpose Certified Pentesters” or “Nessus Certified” pentest company. Which would involve your company training those testers to use your interface.

  2. You could sell deploy-able “appliances” so that the testers can interface with the internal asset without having access inside the firewall. (Basically internal scanner pulls down data of “findings” from Internet accessible “appliance” that gets destroyed (un-deployed) at the end of the test.

All of this would result in a more unified way for testers to report findings, make it easier for the people who consume those findings to act on them (make tickets, deploy and track the remediation efforts). As well as make you a few dollars along the way.

Thanks for you time, mubix

Update: Just to clarify a few things discussed on twitter already:

  1. The certification isn’t that a tester is an uber-hacker, it’s basically for a company to say “You know how to user our findings/vuln management tool without breaking it”. Think of it less like a CISSP/OSCP and more like a check box and a small give on the “integrity of uber pentesters” to get a greater good done.
  2. This suggestion isn’t a different way to export scanner findings. Its a way for testers to input their findings in an easy to manage format that the company’s employees already know how to deal with.
  3. This is meant to be a small addition to the existing infrastructure of an organization, not something another piece of software that both the company employees and testers have to learn as well and support on their infrastructure. Minimal impact to current functionality and use is key.
Share Comment on Twitter