Mapping Penetration Testing report and vulnerability management CVEs
- Mar 27, 2015
- Michaelangelo Sidagni
Penetration tests are point-in-time adversarial tests aimed at testing the intrusion prevention, detection, and incident response capabilities and controls of an organization. Usually well-trained penetration testers produce reports including the attack vectors and exploits used to successfully attack the network / application and the related vulnerabilities / CVEs exploited during the penetration test.
Once the pen testing report is delivered, the vulnerabilities are remediated with various degree of urgency. Otherwise the report ends up on auditors / compliance officer / CISO desks to collect dust.
One of the most prolific security researcher in the community, Rob Fuller – aka @mubix – once wrote a blog post titled “Open Letter to Vulnerability Scanning Companies” (now removed), advocating that vulnerability scanners should have a way to map vulnerabilities exploited in penetration testing reports and correlate them with those vulnerabilities found and tracked as part of vulnerability management.
I was and am still fascinated by this concept. Thanks @mubix. To such an extent, that I wanted to include it in the feature road-map of our Unified VRM SaaS solution. And now it is a reality since the last released sprint.
This is the way it works. An organization with an account with Unified VRM can upload its penetration testing reports (as many as they like) in doc, docx and pdf formats. As long as those penetration testing reports contain the CVEs of the exploited vulnerabilities, those are then mapped and correlated with the CVEs of the vulnerabilities discovered, imported and tracked in Unified VRM. Vulnerabilities and related tickets are then tagged with the penetration testing report date so that the organization can track the related vulnerabilities exploited during the pen tests and monitor them until they are remediated. Pretty neat, eh!
Again thanks a lot Rob @mubix for the great idea.