Yesterday at the OWASP Appsec conference in Washington D.C., Joshua “Jabra” Abraham of Rapid7 talked about the need to support integration between the various tools used in the security testing process, and Kelly Jackson Higgins of Dark Reading wrote about the talk. I had the pleasure of discussing this with Kelly for the article and was quoted in it.
While Kelly quoted me accurately, I had more to say in the discussion than the article space allowed for, so I would like to expand upon it here.
First off, the principle expressed -- that tools used in security evaluations should talk to each other to allow testers to work more efficiently, eliminate grunt work, and thus make a better test -- is a good one. It’s one we believe in here at Core and have been delivering on in CORE IMPACT for many years. Automation and open integration frees the security tester to apply their expertise and also allows for those with less expertise to get better results.
Next, during the talk Abraham showed how web server and services information from two information gathering tools could be fed into vulnerability scanning tools. CORE IMPACT follows this approach of information gathering followed by security testing. The process is automated and integrated with other tools via IMPACT’s Rapid Penetration Test (RPT). The RPT kicks off with Information Gathering for multiple attack vectors (network, client-side and web) that find objects (servers, e-mail addresses, web pages respectively) to test, and then the software’s Attack and Penetration capabilities perform security tests (scanning AND exploiting) against those objects -- all through a wizard-driven approach that does not involve feeding data from one process to the other by hand.
Also worth noting, this is not limited to internal data generated by IMPACT. We integrate with data generated by NMAP and all the leading vulnerability scanners. Our customers can find and identify systems with NMAP and then import that data to use as the basis for further testing. With vulnerability scanners it goes one step further: IMPACT includes a one-step module that will validate vulnerability scanner output by automatically loading scan results and attempting to exploit all the vulnerabilities found for which we have an exploit. The IMPACT workspace is then pre-loaded with exploited systems and vulnerabilities for further testing using the software’s post-exploitation capabilities.
Finally, for those customers who want to perform more custom tasks, all the data in IMPACT – including that created by loading NMAP or vulnerability scan results – is available in our database via SQL or through XML exports. In addition, we support CVE enumeration of vulnerabilities and CVSS severity scores for further standardization.
We have been helping our customers address the issue of interoperability with important security tools for years – and we will continue to focus on bolstering our integrations with the automation and ease of use so critical to successful security testing at all levels.
-Fred Pinkett, Vice President of Product Management