Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Kempy
Newcomer III
‎11-18-2018 03:28 PM
‎11-18-2018 03:28 PM

Vulnerability management aggregation tools

So following a discussion launched on another social media platform, I compiled a list of what tools folk were advocating over at https://github.com/kempy007/VulManAgg

 

Now the crux of the conversation was;

 

"Application security vulnerability management - which tool do you find the most useful to store, manage, and prioritize vulnerabilities?  

...

I'd like to hear some honest feedback from those who have implemented these solutions. PLEASE no sales pitches or solicitation."

 

Some of the tools claim to be able to pull in Application scans and Network scans and even Source Code scans and to output to multiple defect tracking tools. 

So my question is have I missed any worth noting, and what are your experiences with the ones you have used.

Reply
0 Kudos
8 Replies
Shannon
Community Champion
‎11-19-2018 06:22 AM
‎11-19-2018 06:22 AM

 

You might have to check the link you included; it opens a page on GITHub that displays

 

 

404 This is not the web page you are looking for.

 

 

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Reply
0 Kudos
Kempy
Newcomer III
‎11-19-2018 07:33 AM
‎11-19-2018 07:33 AM

A space got included 😞
Reply
0 Kudos
DHerrmann
Contributor II
‎12-18-2018 03:44 PM
‎12-18-2018 03:44 PM

We wrote our own tool.   

Reply
0 Kudos
Kempy
Newcomer III
‎12-20-2018 03:48 AM
‎12-20-2018 03:48 AM

You know sharing is caring! 

 

Care to spill the details, which components did you elect to use and why.

 

Does it improve asset management, is it part of a GRC tool. 

 

Why did you write your own tool, was there a lack of choice?

Reply
0 Kudos
DHerrmann
Contributor II
‎12-20-2018 02:55 PM
‎12-20-2018 02:55 PM

Hi - nope, it's not a part of Archer of any other GRC tool.   It was written by one of our teams.

 

All vulns found are loaded into a database (I think it's MS SQL Server), and a front-end was written.   All vulnerabilities are assigned a "traunch" based on their CVSS/CVE score, internal vs external, etc.

 

This makes it very easy to determine if remediation is overdue and we can collect really good stats to help us determine who needs "encouragement" to remediate on-time.

 

I can't share a ton of details, but that high level view should help you know where we're coming from.

Reply
0 Kudos
Kempy
Newcomer III
‎03-04-2019 04:05 AM
‎03-04-2019 04:05 AM

If you can share a schema and BPMN chart it would be helpful to others.

Reply
0 Kudos
DHerrmann
Contributor II
‎03-04-2019 11:32 AM
‎03-04-2019 11:32 AM

Can't.   It's proprietary - company intellectual property.   Sorry.

Reply
0 Kudos
TPAASYCC
Viewer II
‎09-25-2020 02:08 PM
‎09-25-2020 02:08 PM

To update your list, add NorthStar:

https://www.northstar.io/how-it-works/

 

 

Reply
0 Kudos