Blog Post:
Vulnerability management 101 - edgescan

Published: 2013-08-14 | Author: Eoin Keary

Vulnerability Management:

The age old penetration test is dead, long live the penetration test...So as discussed before a 1-off penetration test does not work, why?

  • Code changes - possible introduction of vulnerabilities
  • Framework vulnerabilities are discovered all the time (see here )
  • Server/Hosting changes may give rise to a vulnerability
  • Patching - vulnerarability
  • Logical/Business logic vulnerability - from new features
  • etc etc

So, our 1-off penetration test is only a point-in-time assessment and has its place for deep-dive penetration tests but more often than not the value of a 1-off penetration test is erroded the day the report is finished... like driving a car out of a dealership, it looses half its value in an instant.

We decided to do something different..

  • Monthly or more frequent vulnerability assessments
  • Covers Layer 1-7 (host, protocol, server, IP, patch, webapp, framework etc etc).
  • Is manually verified by humans (not androids or monkeys!)
  • Integrates with many many other security services.
  • A single point to view your entire security posture across all OSI layers for you entire Internet presence.

This type of idea makes sense right?

We dont have experienced consultants running scans and chasing False positivesWe dont have 300 reports to manage and attempt to track what, how when was fixed not to mention risk priority.
Bring forth... edgescan
For the Last year we have been developing a pretty decent vulnerability management tool. It answers questions like

  • What are my high risk issues?
  • Where are my high risk issues?
  • How old are they?
  • What is vulnerability history for my assets?
  • Am I more or Less Secure than yesterday/last month last year?

Some screen shots of edgescan given a picture is worth 1000 words

Executive Dashboard

Executive Dashboard:

What are my biggst security concerns on network and application layers?

What is the history of each asset and what changes have occured..the dashboard answers such questions.


Vulnerability List

My to do list!! Ordered by risk, date, asset etc etc. what do I need to remediate and which issues take a high priority.

Also advice on how to fix discovered issues.


Asset List

Each of my assets organised by criticality. A snapshot of each asset. Is it more secure than the last scheduled assessment?

Are my issues in the network later (administration/config) or the application layer (development/devops)?


Reporting

Yes, you can download deep technical reports or executive level reports on one or more assets if you wish. Select date ranges for historic reporting also.