Vulnerability Manager: How It Tracks Applications in Your Portfolio

This is the first in a series of blog posts where we will be going through the internals of the Vulnerability Manager as well as our future plans.  The hope is to explain the approach we have taken as well as solicit thoughts on improvements or different approaches we may want to look into.  You can submit bugs and feature requests here.

Application portfolio tracking is pretty simple in the “Technology Preview” edition of the Vulnerability Manager.  Basically all we track are a name for the application and the URL.  And the only reason we need to keep track of the URL is to help de-multiplex results that come back from the WhiteHat Sentinel XML API.

Portfolio tracking will be expanded going forward to track important application metadata such as development platforms, characteristics of development teams, and sensitivity of data under management.  We are considering using a “tagging” approach to this – how Web 2.0!

Also currently applications URLs are basically tied to a hostname, but going forward we are considering allowing applications to be tied to a full URL with a directory.  This supports the way many organizations deal with their larger systems, so there can be separate “applications” hosted at http://www.site.com/Application1/ and http://www.site.com/Application2/

We have received questions from a number of folks asking if Vulnerability Manager is only for web based applications.  The answer is unequivocably “no”  It is true that some of the functionality of the Vulnerability Manager – such as virtual patching by generating Web Application Firewall (WAF) rules – is only for … web applications.  But most features – such as bundling vulnerabilites for submission to defect tracking systems and tracking team practice maturity – work for any application.  In addition to being able to import results from web application scanners we can also import results from code scanning tools that work for a variety of types of applications.  So no matter what type of applications are in your portfolio you should be able to derive value from Vulnerability Manager.

Any thoughts or comments on how we’re doing application portfolio tracking?  Please submit here.

Contact us for help enumerating and risk-ranking your applications.

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *