OpSec being primarily driven by scanning IP ranges or Invoking Cloud API's to inventory assets, this is normally tracked by (IP/DNS + Port + Issue).
Dynamic AppSec ordinarily starts by defining the application endpoint comprising of a (URL + PORT + URI) and once issues are identified this is appended to the defined application and tracked in this manner. Many of the assets found by OpSec scanning could be involved or even shared with other applications making tracking across these spheres more difficult.
Static AppSec defines the project and its dependant source code repositories and scans for logic flaws as BUGS, Vulnerabilities, SMELLS and measures test coverage and duplications, so again represent a different dataset in terms of the results generated, trying to map accross all these spheres is very challenging.
Trying to tie these spheres together should give a more holistic view of how vulnerable a particular project maybe and where one can prioritise efforts. It is not just a case of hoovering up the many different types of testing, but also various intel feeds with which one can enrich the dataset before finally issuing the normalised data out into the various tools developers and operational teams already have. Keeping track of these issues and any exceptions that may arise such as accepting risks is also another key area to judge any tool/platform that will assist in the vulnerability management workflow.
http://www.frhack.org/research/xorcism.php Alternate link https://web.archive.org/web/20190316174922/http://www.frhack.org/research/xorcism.php is a good example of the size and difficulty in this challenge and why few tools cover all bases, but they are making great strides to accomplish this.
The following table is an initial list of tools that seek to aggregate such data to assist in streamlining the workflow.
| AppSec | OpSec | OSS | URL | Notes |
|---|---|---|---|---|
| £$€ | £$€ | £$€ | £$€ | |
| Y | Y | N | https://www.nucleussec.com/ | C$ |
| Y | Y | N | https://www.brinqa.com/ | C$$ |
| Y | Y | N | https://www.netspi.com/resolve/ | C$$$ |
| Y | Y | N | https://www.rapid7.com/products/insightvm/ | C$$$$ |
| Y | Y | N | https://www.kennasecurity.com/ | C$$$$$ |
| Y | Y | N | https://www.skyboxsecurity.com/products/skybox-vulnerability-control | |
| Y | Y | N | https://www.tenable.com/products/tenable-lumin | they plan to pull in 3rd party scan data one to watch |
| Y | Y | N | https://gauntlet.io/ | |
| Y | Y | N | https://vulcancyber.com/ | no contact email |
| Y* | Y* | N | https://www.nopsec.com/ | |
| Y | Y | N | https://allgress.com/vulnerability-analysis | Demanded NDA for pricing C$$$$$$$$$$ |
| Y | N | N | https://threadfix.it/ | No longer OSS since v2.3 |
| ? | ? | N | https://www.metricstream.com/apps/threat-vulnerability-management.htm | |
| ? | ? | N | https://elastic-detector.secludit.com/home/sign_in | |
| ? | Y | N | https://peoplesec.org/solutions/defects-analytics-portal/ | |
| Y | N | N | https://software.microfocus.com/en-us/products/software-security-assurance-sdlc/overview | |
| Y | ? | N | https://codedx.com/ | |
| N* | N* | N | https://www.flexera.com/products/software-vulnerability-management/ | Patch management oriented, use to be Secunia(Had widest coverage of packages) |
| ? | ? | N | https://www.simplerisk.com/ | Free to use, orientated towards risk audits |
| ? | ? | N | https://www.mageni.net/ | Free to use, Support is Subscription model |
| ??? | ??? | ??? | ??? | |
| Y | ? | Y&N | https://www.faradaysec.com/ | CE edition heavily stripped back |
| Y | ? | Y&N | https://dradisframework.com/ | pentest & owasp oriented |
| ? | ? | Y&N | https://vfeed.io/ | |
| Y | ? | ? | https://checksec.com/canopy.html | |
| N | N | Y&N | https://www.talend.com/products/talend-open-studio/ | Can map and normalise many datasets |
| OSS | OSS | OSS | OSS | |
| Y | Y | Y | https://github.com/HASecuritySolutions/VulnWhisperer | Leverages ElasticStack for reporting and uses an interim DB for dedupe, enriching and pushing tickets into southbound tools |
| Y | Y | Y | https://github.com/DefectDojo/django-DefectDojo | Looks the Biz but cannot import, '0 findings were processed'. Using API to add issues works, but dedupe is not working as expected, project is not updated often |
| Y | Y* | Y | https://github.com/olacabs/jackhammer | Online demo has no import, cannot build any version locally |
| Y | Y* | Y | https://archerysec.info/ | Lack of import options, seems oriented to built in tools |
| Y | Y | Y | https://www.seccubus.com | * Not a tool to consolidate scan data, Scanner for Delta Reporting only a few tools supported |
| Y | ? | Y | http://vulnreport.io/ | pentest & owasp oriented |
| Y | Y | Y | https://github.com/HASecuritySolutions/VulnWhisperer | VulnWhisperer is a report aggregator which allows users to set custom risk scores and create actionable data for security analyst to effectively mitigate vulnerabilites. |
| ? | ? | Y | https://github.com/DSecureMe/vmc | VMC (Vulnerability Management Center) is a platform designed to make vulnerability governance easier for any security specialists and SOC teams within their organisations |
| ? | ? | Y | https://osv.dev/ | We created OSV to address many of the shortcomings of dealing with vulnerabilities in open source software using existing solutions. |
Fork > Mod > Submit Pull Request