Vulnerability Correlation - Why you need it more than you think

DevSecOps, Vulnerability Correlation
Abhay Bhargav | September 05, 2018
blog 1 (1)-206519-edited

 


If you run/manage an Application Security Program within your company, you have probably faced the problem of managing multiple vulnerabilities. Especially, if you have activities that have Static Testing (SAST), Dynamic (DAST) and Source Composition Scanning.

You identify these vulnerabilities in your application stack from various tools, you triage these flaws to make sure that there are no false positives, and then you slice and dice all of the datasets, remove duplicates, compile them in Excel Spreadsheets (yes, Spreadsheets) and send them over to your Dev/Ops team to fix and respond on these fixes. You spend a LOT of time getting this done EVERY.SINGLE.TIME. What’s worse? Recently, your company decided to do some security automation and all of these results come in every night, and you need to repeat these tasks at breakneck speeds.

If you are facing this, or something like this, you may want to read on.

Information overload was something that we often ran into as a penetration testing team. We ran scores of tools against our targets and when it was time to report these findings, we had to deal with a ton of information, resulting in several man-hours of time reporting and managing results. We were tired of doing this. That's when we decided to build our own tool, internally called VMA, or not very creatively named, Vulnerability Management App. This app allowed our team members to upload results, automatically de-deduplicate results and correlate findings from across various tools. So an SQL Injection detected by BurpSuite Pro was not repeated when OWASP ZAP had the same finding. This saved a minimum of 8 hours in reporting on every pentest, which is huge for a team that’s engaged in pentesting only.

We realized that the average AppSec team spends a ton of time on similar activities. And since we had already built a great tool internally, we thought “why not share this solution with the rest of the world?” Out of that effort, came Orchestron.

Orchestron was built on two simple statements- “Find Bugs early; Fix Bugs Early”. Especially with our deep foray into Continuous Application Security/DevSecOps, we realised that there was a great requirement for tools that would create something magical, where vulnerabilities could be managed, without someone tearing their hair out.

Today, we are thrilled to release the Open Source version of Orchestron, called Orchestron Community. This version of the product is similar to our Enterprise Version, with most of the same great features that have made Orchestron an invaluable part of many product teams’ security portfolio.

Correlation: Orchestron allows the automatic correlation of vulnerabilities from across different sources. Most tools have CWE (Common Weakness Enumeration) values attached to vulnerabilities. Orchestron automatically and intelligently allows you to correlate these vulnerabilities based on this value and gives you more relevant and focused results. This helps you identify and mitigate security issues faster. In fact, in the Enterprise version of Orchestron, even if your tool does not provide accurate vulnerability information, our intelligent correlation engine figures it out for you and places the vulnerability in the right category.

Webhooks: Orchestron, through a unique feature called “Webhooks” allows you to push results from across multiple SAST, DAST and Source Composition Analysis tools to Orchestron for managing and correlating results. For the community version, we support tools that provide a CWE value. Even if you have tools that Orchestron does not integrate with, Orchestron provides a convenient taxonomy which you can use to push results in JSON, making it extremely easy to work with tools that Orchestron doesn’t support. With Community, we also invite contributors to add to our existing arsenal of supported tools and parsers.

All API: At we45, we spend a lot of time trying to automate things. So we’re all about “Show us the API”. Orchestron is all API! You can do literally everything from creating apps, projects, pushing, pull results with Orchestron’s API. We are committed to automation, and this is a small effort from our side ..

Integrations with JIRA: Orchestron Community supports integrations with JIRA, where you can push vulnerabilities to JIRA for higher visibility and access to developer workflows. Orchestron Enterprise has full-sync features for pull-push states in JIRA and Github.

 

Get Started with Orchestron