Security Score Card using Nuclei Automation

 Introduction

Nuclei by Project Discovery is a great tool for automation, and I've started using the tool for automated scanning of vulnerabilities and for automated regression testing. I find it very useful in adding customized templates and get accurate results. Now for a complete automation, I've written python wrapper around my nuclei test cases and added the python script to the crontab. It may not be possible to automate 0-days, but once it is a 1-day, you should have an automation to check for the vulnerability, else someone else will find it.

The Idea of Score Card:

Everything works great, and my target is a fixed set of around 600 servers. I had an idea to build an executive level dashboard, that can calculate a score based on the results of the automation. So, I started to build a score-card using Site24x7, 

The Logic:

The logic is a weighted sum of the categories of issues found. 

For example in a given scenario,

Severity Score

High 60 

Medium 30 

Low 10 

The formula for the score, 

(number of passed checks failed)*( Risk score for the check) /(Total number of checks performed)

On summing the value in each category, I will arrive at a total value < 100, which will the Security Score of the application. 

 

The Grading System:

Once the scoring is done, the next idea is to build a Grading System, It is basically an executive level score-card, and on seeing the grade, then High level management should be able to understand the Security Posture of a given Application/Vendor. 

GradeScore Range
A>95
B80<=95
C60<=80
D50<=60
E40<=50
F<=40

 

Add this to a Monitoring Solution:

Once all the scoring and the grading is complete, the next thing is reporting and sharing, for which I used Site24x7 Plugin Monitoring, using which I created a custom Plugin Monitor and started pushing this security score card data into the system and it really helps me in Alerting, Dashboard and Reporting. The score-card looks something like the below one, which shows the list of High, Medium, Low severity issues and the corresponding grading of the application.


 

Conclusion:

 Overall the idea turned out well for me. Now as a second step I'm planning to add more number of Automation cases and include more number of Attack Surfaces and do a complete Attack Surface Monitoring and Posture Management to Executives and Top Management. 

It's important to automate the basic checks and the vulnerabilities that you have discovered already. Nuclei Saves a lot of time in achieving this. Please share your comments and replies


Please read part 1 : How I used Nuclei to Automate Basic Security Checks


Comments

  1. Unknown4 February 2022 at 21:53

    Writing a custom template makes it very specific in nature. I mean if you found any vulnerable on app, you can document the HTTP definition, can it be used for other app?
    I understand that nuclei can may fit for RE-run, not for reuse. Any thoughts?

    ReplyDelete
    Replies
    1. vinoth6 February 2022 at 21:55

      Hi,
      It is not possible to reuse custom templates on a different app. I primarily use the custom templates for regression.

      With respect to re-use, if you find a bug in a common library that can be run/tested over different apps, then you can push it to community github page, for others use. (this case is zero-day) .

      My scenario is to build a framework for scoring that will take in to account of different factors and Attack Surfaces,

      Different Factors:
      1. Static analysis
      2. Nuclei community Templates
      3. Custom Templates
      3. Open bugs

      and running over around 500 servers at regular intervals.

      Delete
    2. vinoth6 February 2022 at 21:56

      If the above reply is not clear, please let me know. I'll share further details.

      Delete
    3. Unknown8 February 2022 at 23:43

      Okay vinoth. Got it. Thanks

      Delete

Post a Comment

Popular posts from this blog

Extracting Dynamic Values from Multiple Requests in a Nuclei Template

Introduction We are using Nuclei for all the Security Automation tasks. We create a lot of custom templates to automate custom Authenticated APIs. A major challenge that we faced in automating this is dependence on dynamic variables. Site24x7's APIs have various dynamic entities that are dependent on other APIs for data. You can find Site24x7 Rest API reference.  Problem Statement Let's take this example for this blog. To automate monitor addition in Site24x7, we need to call a POST API "https://www.site24x7.com/api/monitors" with some body content. But, the problem is body content has so many dependencies which are dependent on other APIs. For example to call the above api, we need threshold_profile, notification_profile, user_group_id. So, to get these three values, we have to call the three apis sequentially extract the ids and pass it on to the Monitor Addition API. Nuclei Extractors https://nuclei.projectdiscovery.io/templating-guide/operators/extractors/ To ac
Read more

How I used Nuclei to Automate Basic Security Checks

 Nuclei by Project Discovery Nuclei is an automation tool built by Project Discovery. The tool is open source and has various CVE Templates bundled with it. Also, the templates are updated on a regular basis. You can also create a customized template for your needs.    Why I chose Nuclei as a DAST tool? I've been doing Product Security Testing for one of my targets. We have found various categories of bugs manually, and considering the fact that the product is a growing one and the same bug may pop-out again, we have decided to automate the security cases that we have found earlier. The tools that I considered are Burp, ZAP automation, and later I got to know about Nuclei.  I'm using the free version of Burp and it doesn't support automation, otherwise an excellent tool. ZAP is an open source tool, and it has so many options available but I feel it to be little complicated and find it difficult to use on a regular basis.  On surfing Twitter and YouTube, I got to know about
Read more