donderdag 12 februari 2015

(ISC)2's "Vulnerability Central" - what it is and what it isn't

[disclaimer: until December 31st I was a member of the (ISC)2 Board of Directors. My posts here are my personal opinion and not necessarily shared by any of the current Directors or the organization]

[disclaimer 2: I've personally written cve-search, a tool that enables you to do much of the same. Most of the recent development has been done by Alexandre Dulaunoy. You can find cve-search here: https://github.com/wimremes/cve-search. The goal of cve-search was to enable local lookup rather than using the internet. Alexandre has done an amazing job in adding features and functionality. I'm still amazed how open sourcing my crude script made it into such an awesome tool.]

(ISC)2 has recently launched "Vulnerability Central", a service for members at no additional cost that provides a feed of vulnerabilities and other information that they could use to stay up to date on recent vulnerabilities, threat reports, etc. etc. The service is offered through a company called Cytenna about which I unfortunately have not found much information apart from the fact that they exist and the following statement on their website:
"Cytenna was originally conceived in the research laboratories of InferLink Corporation. We are constantly innovating to provide our clients with better ways to connect the dots in an ever-rising sea of information."

Today I browsed through the functionality offered through the (ISC)2 portal and here is what I found:

  • The initial information feed (mostly composed of CVEs but it also contains data from other sources) is well laid-out. When clicking on an item, the information displayed is very much summarized. You'll have to click on the external links to get more information. That seems a bit weird because most of the information is public so it would make sense to incorporate it in the Vulnerability Central UI.
  • Filtering, it does it. One of the most important features of a this type of tool is customization. This can be done by editing your profile. You can basically tell the tool to filter only the information that you want to see based on keywords and keyphrases. This is good. I'd appreciate some more granularity or even different profiles (I could be a consultant working with/for different clients). One thing that hit me on the main page is that I can filter by "Show starred". It took me a while to understand what that meant and how I could "star" an item. Unfortunately I have to first open an item and then star it. I can not star items on the main page. This partially breaks the usefulness of the star feature. What is positive is that I can easily switch between filter modes (all, profile, starred). This would become even more powerful with the support of multiple profiles or filters.  
  • I have to log in with my (ISC)2 credentials. This is understandable because it is a member benefit but at the same time it limits the usability of the tool. If I want to use it, I'm restricted to the website and in a time of APIs and mobile applications that greatly limits how I can consume information. Support for API keys would be a definite plus here.
  • Vulnerability Central doesn't only provide vulnerability information, it also has a "News" and "Reports" section. Unfortunately those are hidden at the bottom of the page. They should have prominence at the top of the page. The "News" section provides links to security-relevant articles and the "Reports" section centralizes links to vendor and independent reports.
  • The information seems to be fairly up to date. I have not done extensive analysis of the accuracy but given that it is mostly based on public information, I think there should be no problem there.
  • There currently is no ability to export data sets. This should be #1 on the feature road map without any debate. If I am only able to consume the information on the website, its value drops to 0 immediately. Need.That.Yesterday!
Now I am sure that the usefulness of this new member benefit depends on how well you have built out your own information feed over the past years. It is by no means a panacea for your security information needs and in its current version it is by no means perfect.

Apart from my own tool, I am a big fan of www.cvedetails.com and OSVDB. Both offer similar functionality based on different data sets.

However, this tool is now available to 100,000 members across the globe. If you are a member, you should explore it, use it and provide (ISC)2 with your feedback. What is good and what is not? What feature are you missing and how can it be more useful to YOU? If they listen, Vulnerability Central has the potential of turning into a must-have tool in the chest of (ISC)2 members and even change how you work today.

The beauty of being part of a membership organization is that you directly benefit from the contributions of fellow members. The downside (or should I say opportunity?) is that your fellow members count on you to do the same.


Geen opmerkingen:

Een reactie posten