Vulnerability Management - lanceDamage/vulnMan GitHub Wiki

Welcome to the vulnMan wiki!

I'm just going to put down random thoughts and notes here.

Questions:

  1. Why is it so hard to pin down a unique identifier for a single vulnerability on a single instance in a Tenable Nessus scan csv export? (I believe there is the same issue with Rapid7 Nexpose)

Background: I need to keep track of which vulnerabilities have been mitigated from month to month, without the benefit of a workflow manager or a ticketing system. I have to compare Excel spreadsheets from one period to the next. To do that, I need to be able to identify when a specific vulnerability, on a specific system, on a specific date, using a specific plugin was found. This is because I could remediate a vulnerability, and like a whack-a-mole, the same vulnerability could reappear the following period because some admin reset a configuration. I need to be able to document the work that was going into remediating the first instance. So I need a unique identifier that is timebound.

I'm looking at my standard Nessus output, and I have the following fields:

Plugin ID

CVE

CVSS

Risk

Host

Protocol

Port

Name

Synopsis

Description

Solution

See Also

Plugin Output

None of these by themselves are the unique event id that I am looking for.

The best solution I have for tracking these is to concatenate some combination of these fields that will represent a unique item. This isn't so straight forward, because many of these are duplicated. You have to put together the right set of fields.

So, first off, there is no timestamp. An event being time-bound is important. Why should I have to create that. Create it I do. I add the following fields:

dateOfScan

uniqueVulnID

Currently, uniqueVulnID is a combination of the Plugin ID + IP + date. This is good, but not what I need.

The problem is that one Plugin ID is mapped to many CVEs. That means that combination for a unique ID I have so far is not really unique. That combination could be duplicated many times because there is an entry for one or many CVEs. We manage and mitigate per CVE.

Now, the obvious solution is to add my CVE field to the concatenated, hybrid unique ID, right? But I can't, because not all the lines have a CVE. There are roughly 1% of entries in my current scans that are vulnerabilities with no corresponding CVE.

Current Solution: Put dummy values in the CVE fields when blank, then add CVE to my concatenated unique ID.