A good friend years ago told me that if your doing just about the same thing something over and over again, you can automate it!
So I do a lot of pentesting internally for a financial institution were I officially work. The team has now finally grown from one/me to three....yay! Anyways I am always asked about my schedule, what is in the pipeline? who has free time? have the issues been remediated? can you retest? etc etc.
So awhile ago I tried building a sort of interface to parse Nessus scan output and put it in a nice interface, and the user can add manual vulnerabilities, see if some of the re-occurring automated scan results were improving or getting worse...a sort of diff to help me figure out whats changed. It was ugly but it sort of worked and still used today (eek).
However it got me thinking, how to improve the overall Internal Pentest Process, from management of pentesters, projects, vulnerabilities, reporting and management of the remediation and so on. So it would have to combine the managers, pentesters and end clients into one interface...a single central platform to host all of this...and it should be pretty or at least prettier than what I did before.
That same friend that gave me the previous advice, also said at a talk one day that hackers make the worst developers...I guess his right...but what the heck here goes!
Vulnerability & Assessment Management Platform
I present to you...not out of final testing yet...oneVault!
Its no where close to release...although its pretty much finished in terms of all functionality, I just wanna do a few more things...but i figured I will start talking about it so long...
Its a central web platform to manage projects (assessments), pentesters, vulnerabilities and reporting. Its pretty much aimed at Internal Pentest Teams, I will try mention as much of the features I think are relevant but I wont get to them all.
There are 3 main users:
Clients log in to the application and are presented with dashboards of information consolidating data from all the completed security assessments. Giving them a global overview of the technical risks they face. There is a nice little "tag" function which allows them to filter the dashboards on specific data/hosts/projects etc.
They can then drill-in to specific completed projects, get a specific project dashboard and view hosts, and vulnerabilities. Client users can request specific hosts/vulnerabilities to be reviewed, which sends an email to the project pentester informing him of what the client has requested.
Each project will have an online report that the pentester compiled on oneVault there is also a default report to PDF generator that the pentester can use.
The client can also upload files to projects, to share with the pentester of a specific project, such as host information or architectural diagrams.
The pentester will also be presented with a variety of dashboards upon log in, showing him/her what projects they have completed, are busy with or in the pipeline.
When working on a project the pentester can use a variety of tool output to help populte oneVault project data. Nmap host scans output (xml) can be uploaded, which will generate, hosts, ports etc.
Once there are targets, vulnerability data can be added to them. This can be done with manual testing and manually adding the vulnerability to the host, or with tool output, oneVault currently supports XML output from:
- McAfee Vulnerability Manager
- OWASP ZAP
- IBM AppScan
oneVault parses the data as best it can, populating hosts with data, if the host does not exist it will create and add on the fly. The pentester can also create specific notes within the project.
Another nice function built-in is the ability to upload evidence to the specific risk reported. Pentesters can take screenshots and upload it to a specific host vulnerability, which will replay the evidence in a step by step manor to the clients or pentester.
Reports can be enabled on projects, this section will let pentesters create online reports which can be generated into online PDF's as well. The pentester can create the Heading, write up information etc, I have included some key values that will generate specific tables with regards to the project in the online report.
Then the "Technical Findings" heading is automatically created, building a table of all the technical vulnerabilities in the project.
I also have started on MS Word Template outputting. Here the pentester can upload a simple MS Word docx with specific key values in the document and oneVault will populate the fields with the specific project data...still to be further worked on and improved...
Methodology - These are pretty much important with regards to any sort of security assessment carried out. oneVault makes provision for this, there is a section that allows, pentesters, managers and admins to create methodologies, which are assigned to projects. These will help ensure that the pentesters keep to the methodology standard set by the company and ensure complete testing. This will also help new staff as the methodologies have tasks assigned which can detail exactly what the pentester should do, or tool to use. The pentester will check each task off, which goes to calculating to complete'ness of the project.
Vulnerability Knowledge Base - oneVault has a KB which is populated by pentesters, managers and admins. This allows the team to properly document specific vulnerabilities, remediation, risk rating etc. Helping provide detailed information that can be re-used for consistency in projects and reports back to business. When manually adding a vulnerability to a host, by typing the first portions of the Vulnerability Name, oneVault will fetch the details from the KB database and populate all the fields.
The manager has a global overview of all vulnerabilities etc. The managers can create new accounts and users, and create new projects and assign them to pentesters.
All kinds of email alerts are built-in to inform the client or pentester of the project, keeping everyone up-to-date.
So that's really it from a high-level overview. I am still not sure what to do with oneVault (release or not to release, package it into a product) but I have a couple more idea's I want to implement into the project.
If your keen for a demo or have questions/idea's, email me at 'gareth at scapecom.co.za'