Hi,
Hopefully a quick question;
Is it possible to assign my own\internal ratings to vulnerabilities discovered on a QualysGaurd internal scan?
Cheers.
Rob.
Hi,
Hopefully a quick question;
Is it possible to assign my own\internal ratings to vulnerabilities discovered on a QualysGaurd internal scan?
Cheers.
Rob.
Depends on what you mean.
You can change the risk rating for a VM Vulnerability. Take a look at POODLE; I believe this vulnerability is a severity rating of a 3 but you could say change it too a 4.
In Policy Compliance where my knowledge is limited you can change the ratings as NAMES between 5 different levels.
For WAS last time I checked you are unable to change the ratings.
Does this help?
David
HI David,
That pretty much sound spot on - Like most orgs we place a different value on the vulnerabilities we find, dependent on our risk appetite and operational requirements.
Basically I want to scan, grade the vulns without resorting to importing scan result into a third-third party application (too time consuming and add levels of complexity, that I can well do without!).
Thanks for the reply.
Cheers.
Rob.
Let me know if you need assistance. One thing to keep in mind; if a vulnerability signature has say a rating of 3 and you alter it. Later if Qualys "Updates" the signature it will not be updated in your account. You would need to go to that entry in the knowledge base and set it back to default. Then you can change the rating back to what you want.
I do have a script that works with a database for this but could post one that does not need a database and just checks for this condition.
David
Hi David,
If you have a script that can do this, i'd be very interested in having a look (if you don't mind!).
I understand re; Qualys changing a vuln level and if not updating if I have changed the level manually and that makes sense. I think in the interim, I can happily live with that.
Rob.
I will work on it and post it as time permits. I think I wrote something on this already you could try searching my name and powershell; may not have been a full script but a write on it. I will take it as a challenge to make it a complete script on its own for the command line.
DAvid
Hi David,
Thanks. I'll have a quick search. Glad its in PowerShell (i'm try to teach myself how to code in PS at the moment, but lacking a necessary project to motivate).
Thanks.
Rob.
Hi David,
So I've been able to find a way to do this manually, but it's seemingly very messy and i'm not convinced it would be an effective use of time.
Had a look through your API\Powershell posts, but can;t seem to find any powershell scripts to run against the API.
Rob.
I will post an updated script at some point but all my script did was detect when a vulnerability signature that had been modified had been subsequently modified by Qualys. This could led to detection issues; it did not change the ratings. I have not investigated about updating the risk on a signature via the API. Do you have that many updates? Maybe I don't properly understand your use case; could you elaborate on what you want to happen?
David
HI David,
I hope i can clarify;
1. I run weekly\monthly internal scans using QualysGuard.
2. From the given results i want to be able to apply an internal value\weighting to a given vulnerability in line with how the business views the vulnerability.
At the moment if we want to do this I have to export the vulnerability scans into a third party application, and form there into a vuln tracker in Jira. What I want is to drop the intermediate third party app and assign any values within QualysGuard.
I hope that makes sense (it might not, i've not had any coffee yet this morning).
Rob.
ahh ok
I think I understand a little better. One thing is to change the rating of the vulnerability say from a Severity 3 to a 5. But that is for the entire account. It sound like you might have different business groups to account for. Then this is not the method you should use; it is only part.
What I think your going to need to do; if you don't roll your own is create an Asset Group for each business group. Now an IP can be in multiple groups.
When you create an Asset Group there is a section called Business / CVSS; if you look at the picture below it provides options to adjust the CVSS score relative to the impact or importance to the business.
You looking at primarily the CVSS information. Now when you load data there will be another field for CVSS. You should use that in conjunction with the vulnerability risk rating when your trying to determine what to work on. This allows say Business Group A who has only a public facing web site for support to indicate things like collateral damage might below. Business Group B might have an SAP site and that would have a very high Collateral damage, integrity and confidentiality. So Group B would have a much higher CVSS Score than Group A.
Does that make sense and help?
I've stopped totally relying on Qualys' rating and generally rely on the CVSS scores. I've seen qualys rate a vulnerability a 2 only to see that it has a CVSS score of a 9 or something. I'm starting to create reports by CVSS score rather than "Qualys Level"...
Jen, I recommend that you read this document: Qualys Severity Score vs CVSS Scoring
This explains why in certain cases the ratings from Qualys and CVSS are different - there are differences in the approach used for ranking and factors considered.
ahh ok
I think I understand a little better. One thing is to change the rating of the vulnerability say from a Severity 3 to a 5. But that is for the entire account. It sound like you might have different business groups to account for. Then this is not the method you should use; it is only part.
What I think your going to need to do; if you don't roll your own is create an Asset Group for each business group. Now an IP can be in multiple groups.
When you create an Asset Group there is a section called Business / CVSS; if you look at the picture below it provides options to adjust the CVSS score relative to the impact or importance to the business.
You looking at primarily the CVSS information. Now when you load data there will be another field for CVSS. You should use that in conjunction with the vulnerability risk rating when your trying to determine what to work on. This allows say Business Group A who has only a public facing web site for support to indicate things like collateral damage might below. Business Group B might have an SAP site and that would have a very high Collateral damage, integrity and confidentiality. So Group B would have a much higher CVSS Score than Group A.
Does that make sense and help?