As ASVs, a lot of what we do is shrouded in mystery and danger (well, at least the former of those two). Today, we would like to take a moment to let you in on some of the processes we use to deal with all those disputes you might have to submit.
Part of being an ASV means that we regularly process disputes that are submitted to us by our clients. Whenever possible, we need to remotely verify that what our clients tell us in their disputes is actually true. For that, we have a number of external validation tools such as nmap, Burp Suite, and so on.
Pointing a tool at an IP address and hitting “go” is the easy part. The trickier part is verifying something we can’t validate. In these cases, a client will usually provide evidence, such as a screenshot or terminal output, to give us some piece of relevant information, such as the version of Apache they are running.
Verifying vendor patch notes and changelogs can be a very manual process. Backporting of patches can be tricky, so focusing on process for such validation is a high priority. As one illustration, Red Hat is well known for backporting fixes, and we frequently need to check their excellent online resources to ensure our clients are indeed running unaffected versions of software.
After verifying the standardized nature of Red Hat’s online CVE listings, a script was produced to iterate over a list of CVEs, check the Red Hat website for patching information, and follow appropriate links for the Red Hat version provided. You can find the source code on the Coalfire Labs github: https://github.com/Coalfire-Research/rhel.
click to enlarge image
A CoalfireOne Scanning Services employee can run this script in the background while verifying any provided evidence, reviewing comments, and so on. Once the script finishes, it’s a simple matter of reviewing output, as opposed to manually navigating to dozens and sometimes hundreds of individual web pages, clicking through as needed, etc.
The script also provides CVSS scoring and Denial-of-Service information at a glance to ensure we don’t miss any relevant information. After all, the ASV Program Guide dictates that we must not fail Denial-of-Service vulnerabilities.
Having automated solutions is great, unless no one takes the time to verify that they are producing accurate results. Rest assured that we would neither be so bold nor so lazy as to blindly accept the results of a script alone when it comes to our clients’ security. Neither, of course, should our clients blindly accept the results of a vulnerability scan! Automated solutions are great for providing quick, nearly effortless results, but those results should always be validated.