cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Kempy
Newcomer III

Vulnerability management aggregation tools

So following a discussion launched on another social media platform, I compiled a list of what tools folk were advocating over at https://github.com/kempy007/VulManAgg

 

Now the crux of the conversation was;

 

"Application security vulnerability management - which tool do you find the most useful to store, manage, and prioritize vulnerabilities?  

...

I'd like to hear some honest feedback from those who have implemented these solutions. PLEASE no sales pitches or solicitation."

 

Some of the tools claim to be able to pull in Application scans and Network scans and even Source Code scans and to output to multiple defect tracking tools. 

So my question is have I missed any worth noting, and what are your experiences with the ones you have used.

8 Replies
Shannon
Community Champion

 

You might have to check the link you included; it opens a page on GITHub that displays

 

 

404 This is not the web page you are looking for.

 

 

 

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Kempy
Newcomer III

A space got included 😞
DHerrmann
Contributor II

We wrote our own tool.   

Kempy
Newcomer III

You know sharing is caring! 

 

Care to spill the details, which components did you elect to use and why.

 

Does it improve asset management, is it part of a GRC tool. 

 

Why did you write your own tool, was there a lack of choice?

DHerrmann
Contributor II

Hi - nope, it's not a part of Archer of any other GRC tool.   It was written by one of our teams.

 

All vulns found are loaded into a database (I think it's MS SQL Server), and a front-end was written.   All vulnerabilities are assigned a "traunch" based on their CVSS/CVE score, internal vs external, etc.

 

This makes it very easy to determine if remediation is overdue and we can collect really good stats to help us determine who needs "encouragement" to remediate on-time.

 

I can't share a ton of details, but that high level view should help you know where we're coming from.

Kempy
Newcomer III

If you can share a schema and BPMN chart it would be helpful to others.

DHerrmann
Contributor II

Can't.   It's proprietary - company intellectual property.   Sorry.

TPAASYCC
Viewer II

To update your list, add NorthStar:

https://www.northstar.io/how-it-works/