So following a discussion launched on another social media platform, I compiled a list of what tools folk were advocating over at https://github.com/kempy007/VulManAgg
Now the crux of the conversation was;
"Application security vulnerability management - which tool do you find the most useful to store, manage, and prioritize vulnerabilities?
I'd like to hear some honest feedback from those who have implemented these solutions. PLEASE no sales pitches or solicitation."
Some of the tools claim to be able to pull in Application scans and Network scans and even Source Code scans and to output to multiple defect tracking tools.
So my question is have I missed any worth noting, and what are your experiences with the ones you have used.
You might have to check the link you included; it opens a page on GITHub that displays
404 This is not the web page you are looking for.
We wrote our own tool.
You know sharing is caring!
Care to spill the details, which components did you elect to use and why.
Does it improve asset management, is it part of a GRC tool.
Why did you write your own tool, was there a lack of choice?
Hi - nope, it's not a part of Archer of any other GRC tool. It was written by one of our teams.
All vulns found are loaded into a database (I think it's MS SQL Server), and a front-end was written. All vulnerabilities are assigned a "traunch" based on their CVSS/CVE score, internal vs external, etc.
This makes it very easy to determine if remediation is overdue and we can collect really good stats to help us determine who needs "encouragement" to remediate on-time.
I can't share a ton of details, but that high level view should help you know where we're coming from.
If you can share a schema and BPMN chart it would be helpful to others.
Can't. It's proprietary - company intellectual property. Sorry.