Pulling Back the Curtain

Travis Finn, Consultant, CoalfireOne Scanning Services

As ASVs, a lot of what we do is shrouded in mystery and danger (well, at least the former of those two). Today, we would like to take a moment to let you in on some of the processes we use to deal with all those disputes you might have to submit.

The Scenario

Part of being an ASV means that we regularly process disputes that are submitted to us by our clients. Whenever possible, we need to remotely verify that what our clients tell us in their disputes is actually true. For that, we have a number of external validation tools such as nmap, Burp Suite, and so on.

Pointing a tool at an IP address and hitting “go” is the easy part. The trickier part is verifying something we can’t validate. In these cases, a client will usually provide evidence, such as a screenshot or terminal output, to give us some piece of relevant information, such as the version of Apache they are running.

The Problem

Verifying vendor patch notes and changelogs can be a very manual process. Backporting of patches can be tricky, so focusing on process for such validation is a high priority. As one illustration, Red Hat is well known for backporting fixes, and we frequently need to check their excellent online resources to ensure our clients are indeed running unaffected versions of software.

The Solution

After verifying the standardized nature of Red Hat’s online CVE listings, a script was produced to iterate over a list of CVEs, check the Red Hat website for patching information, and follow appropriate links for the Red Hat version provided. You can find the source code on the Coalfire Labs github: https://github.com/Coalfire-Research/rhel.

click to enlarge image

A CoalfireOne Scanning Services employee can run this script in the background while verifying any provided evidence, reviewing comments, and so on. Once the script finishes, it’s a simple matter of reviewing output, as opposed to manually navigating to dozens and sometimes hundreds of individual web pages, clicking through as needed, etc.

The script also provides CVSS scoring and Denial-of-Service information at a glance to ensure we don’t miss any relevant information. After all, the ASV Program Guide dictates that we must not fail Denial-of-Service vulnerabilities.

The Aftermath

Having automated solutions is great, unless no one takes the time to verify that they are producing accurate results. Rest assured that we would neither be so bold nor so lazy as to blindly accept the results of a script alone when it comes to our clients’ security. Neither, of course, should our clients blindly accept the results of a vulnerability scan! Automated solutions are great for providing quick, nearly effortless results, but those results should always be validated.

Travis Finn


Travis Finn — Consultant, CoalfireOne Scanning Services

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS