7 Replies Latest reply: Apr 18, 2012 6:37 AM by montrealpaul RSS

    How do you do it: Reporting Vulns with Patches available vs vulns without patches available

    John M Sopp

      Just curious how everyone out there would accomplish the following:

       

      Taking all vulnerabilities [from a scan or set of scans] and tagging each as "Fixable by patch" or  "Not fixable by patch"

      "Fixable by patch" should include vulns which are patch-able, and have patches available that remediate the issue

      "Not fixable by patch" should include vulns which need patches for which patches have not been released, workaround available, and no available fix.

       

      I have already tried these three methods with results given:

      Method 1: Keyword filtering all results

      "Not fixable by patch" = a vuln with Recommendation having one or more of the following phrases-unaware of*patch*,*not aware of*patch*,*not aware of*update*,*unaware of*update*,*has not provide*patch*,*future security update*

      Else Tag as "Fixable by patch

       

      Result: So far most accurate, Must keep up with maintenance of future keywords

       

      Method 2: Asset report based on rule based vuln set using CVSS Remediation Level

      Generate an asset report based with rule  CVSS Remediation Level contains RL:ND,RL:T,RL:W,RL:U

      Copy out the MVID's and do a compare against vulns.

       

      Result: Moderate accuracy. Report output still contains vulns which a vendor has released a fix...for example: upgrading a version of adobe svg viewer

       

       

      Method 3: Asset report based on rule based vuln set using "Patch Availability"

       

      Generate an asset report based with rule  Patch Availability = No patch available

      Copy out the MVID's and do a compare against vulns.

       

      Result: least accuracy. Report output still contains vulns which a vendor has released a fix...for example: upgrading a version of adobe svg viewer. In one instance the generated list of vulns even contained vulns with "Install the patch from Microsoft" in the remediation field.

       

      Curious how to be accuracte with a metric like this leveraging what is available to us in MVM.

       

      Message was edited by: john.m.sopp on 1/27/12 2:11:14 PM EST