Today we made the “technology preview” release of our Vulnerability Manager application available. This is an internal Denim Group project we have been working on for a number of months. It has been through a number of private and semi-public demonstrations, so we are really excited to make it available to a broader audience.
Vulnerability Manager is a Java/Spring/Hibernate-based web application allowing organizations to automate and centrally manage administration of many of the functions of an application security program:
·Create and maintain a portfolio of applications
·Import and merge vulnerability results from a variety of free and commercial static and dynamic scanning tools
·Automatically generate WAF and IDS/IPS rules for identified vulnerabilities (virtual patching)
·Track attack statistics for vulnerabilities based on WAF and IDS/IPS logs
·Bundle vulnerabilities and send them to defect tracking systems
·Track team maturity practices according to standards such as OpenSAMM
There is an online screencast demo here:
Vulnerability Manager sprung from a number of conversations and engagements we had with clients discussing the problems they faced getting application security programs working in their organizations. At Denim Group we have been fortunate to have the opportunity to work with folks across the spectrum of application security maturity and we think we have assembled some capabilities that will be compelling to many organizations.
Please remember, this is a “technology preview” release of the application. What this means is:
·In short – it still needs serious work before I would put it in production. Please be kind and constructive in your feedback
·It works well for our example files under controlled conditions. Outside of those circumstances… good luck (please let us know about any issues)
·The application has not been through a proper security review and has, in fact, been built in an ad hoc manner that we are aggressively working to correct (please do as we say, not as we’ve done thusfar)
·A number of must-have features surrounding configuration and workflow have not yet been completed. Those are in progress
·“Vulnerability Manager” is a terrible name for an application and we promise to come up with something cooler
If you explore the Vulnerability Manager site you can see a demonstration video showing how this works as well as some screenshots. You can also download a running Tomcat-hosted version of the code. We welcome feedback – especially constructive feedback. Please submit feedback here.
Contact us for more information about Vulnerability Manager and how you can use it to improve your application security program.
–Dan
dan _at_ denimgroup.com