How to use the new view "Tech Security Vulnerability Analysis"

Post Reply
xeonk
Posts: 12
Joined: 17 Sep 2019, 14:37

Hi,

Is there any guidance on how to show this cool new view?

Thanks
JohnM
Posts: 472
Joined: 17 Feb 2009, 20:19

Hi,

Look at the Security Impact link here https://enterprise-architecture.org/howto.php.

Note: you have to make sure you are consistent with the NIST names, we're looking into how to simplify that, but for now it is a bit of a manual process looking at the NIST JSON structure - we suggest an exercise to do a one off data alignment then a process for updating new products as you bring them into the organisation
xeonk
Posts: 12
Joined: 17 Sep 2019, 14:37

Hi John,

Thanks for the response and happy new year 2020. After view hours of trying and viewing the XSL code, just realized that it needs the JSON spec v1.0 from NIST (the latest is version 1.1).

Have downloaded from https://static.nvd.nist.gov/feeds/json/ ... 9.json.zip, unzip and rename it to data.json in "user" folder (the unzipped version is around 289 Mb)

Have adjusted as well the "Technology Supplier", "Technology Product Family", and "Technology Provider Version" to the same information in the JSON file, however the view still show blank screen and only ".All" selection.

Is there any additional step that I might miss here.

Thanks
closch
Posts: 44
Joined: 09 Jan 2018, 14:30

Having the same problem, though i grabbed https://nvd.nist.gov/feeds/json/cve/1.1 ... 0.json.zip from https://nvd.nist.gov/vuln/data-feeds

uploaded the above as data.json (unzipped of course)

in the view I only get the option in 'Vendor' of .All

Testing this against a Tech product of "Windows 10" with Tech Provider Version "10" Family "Windows" Supplier "Microsoft"

Chrome F12 debug shows

Code: Select all

Uncaught TypeError: Cannot read property 'vendor' of undefined
    at report?XML=reportXML.xml&XSL=enterprise/core_el_security_posture.xsl&LABEL=Technology Security Vulnerability Analysis&cl=en-gb:1339
    at Array.forEach (<anonymous>)
    at doCompare (report?XML=reportXML.xml&XSL=enterprise/core_el_security_posture.xsl&LABEL=Technology Security Vulnerability Analysis&cl=en-gb:1338)
    at Object.<anonymous> (report?XML=reportXML.xml&XSL=enterprise/core_el_security_posture.xsl&LABEL=Technology Security Vulnerability Analysis&cl=en-gb:1316)
    at c (jquery-3.4.1.min.js:2)
    at Object.fireWith [as resolveWith] (jquery-3.4.1.min.js:2)
    at l (jquery-3.4.1.min.js:2)
    at XMLHttpRequest.<anonymous> (jquery-3.4.1.min.js:2)
could really do with a Youtube walkthrough Vid on this.

*EDIT* Adding the following

Code: Select all

{console.log(productsJSON);}
to row 343 of core_el_security_posture.xsl allows me to see in web browser debug console that the productsJSON template is constructing "ok" example below

Code: Select all

201:
appimpacts: []
busimpacts: []
id: "store_3_Class34072"
product: "Windows"
productName: "Windows_10"
vendor: "Microsoft"
version: "1709"
__proto__: Object

Note : Windows_10 and version "1709" are attempts to match the NIST format as per one entry "cpe23Uri" : "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*"

- yet still get the above error of Cannot read property 'vendor' of undefinednot case sensitive is it?
JohnM
Posts: 472
Joined: 17 Feb 2009, 20:19

Leave this with us. I’ll speak to the developer and come back to you.
JohnM
Posts: 472
Joined: 17 Feb 2009, 20:19

OK, we've worked out the issue, the JSON structure has recently changed, so the view won't work (they do say the JSON structure is beta). It's quite a significant change they have made so we are having to rewrite the view.

Apologies for that. We'll aim to get something out this week here and push it into the next release.
closch
Posts: 44
Joined: 09 Jan 2018, 14:30

thx for the update
xeonk
Posts: 12
Joined: 17 Sep 2019, 14:37

Thanks for the update
JohnM
Posts: 472
Joined: 17 Feb 2009, 20:19

Ok, we've rewritten this, please treat this as early BETA. It has 3 tabs, one matches to exact products and versions you have in your repository, one to vendors you have in your repository, and the final one is hidden, if you click the button on the right hand side it adds a tab that has all the vendors and products in the loaded NVD file. You can check your repository data against this to make sure your families and products are named accordingly - we'll look into some fuzzy matching and also a simple way to load back into the repository at a later date.

You need to get the JSON files from here https://nvd.nist.gov/vuln/data-feeds#JSON_FEED, look under the JSON Feeds section. At the moment it's a bit manual, you will need to load in the files individually, we'll look at if we can do multiple files later, for now we suggest you run each file in as a one-off and check, then only run in modified files after that. You do need to rename the downloaded file to cvefile.json and put it in your user folder before you run the view.

Hopefully, that makes sense. Any feedback/ideas welcome, we will look to make this a little less manual, but it will give you an indication now as to any issues.

Any problems then let me know

John

core_el_security_posture_v2.xsl.zip
You do not have the required permissions to view the files attached to this post.
closch
Posts: 44
Joined: 09 Jan 2018, 14:30

Hi John,

Thanks for posting the update.

Running this updated view with https://nvd.nist.gov/feeds/json/cve/1.1 ... 9.json.zip as cvedata.json causes the webbrowser to hit 100% cpu and hang for... well it's not come back in 5 mins, so i'm going to say forever.

using it with
https://nvd.nist.gov/feeds/json/cve/1.1 ... t.json.zip (a much smaller file)

seems to work, but i can't get it to show anything in "Vulnerabilities" (i.e. match, vendor, product, and version) even when taking something from within the CVE file and adding it to the repo

it does seem to limit the vendor view to vendors we've got in our repo.
JohnM
Posts: 472
Joined: 17 Feb 2009, 20:19

We've made some performance improvements and it seems to be a lot quicker now - we had the first file running in about 10 mins, we have that down to about 10 seconds on our data set now by taking a slightly different approach.

Re 'I can't get it to show anything in "Vulnerabilities" (i.e. match, vendor, product, and version)' . For a Technology_Product, e.g. Ubuntu Linux v11, you need a Product Family, e.g. Ubuntu Linux, a version for the Technology Product, e.g. 11.04 and a vendor for the product, e.g. Canonical - we'll get a video up on this shortly

Re the vendor view, yes, is limited to your vendors in the repo rather than everything as there are lots of products in the files that you won't have, so it can get quite noisy as a view. If you are looking at vendors you don't have the repo you can either add them as a vendor, or you should use the CVE database https://cve.mitre.org/.

We could put a link back to CVE in the NVD list if that would help. Also, there is more data in NVD we could add, if it would be useful then let us know as it's generally quick to add them, such as:
"attackVector" : "LOCAL",
"attackComplexity" : "LOW"

We caution that too much info could be overwhelming and this should be used as a pointer to issues, so it may be best leaving some things out, but views welcome.

John
core_el_security_posture.xsl.zip
You do not have the required permissions to view the files attached to this post.
closch
Posts: 44
Joined: 09 Jan 2018, 14:30

Performance is much improved (it's working now :) and quicker than 10 secs )

There's definitely something different about how we use Tech Product and Tech Product family that we'll need to adapt - just having a think about what that means for us - might be too granular for our needs to map every version of product and then create family for each - we had families such as 'Oracle Java' and not 'Oracle Java 8' - equally we have things like "f5 BigIP" but dont go as far as "f5 big-ip advanced firewall manager, big-ip access policy manager, big-ip application acceleration manager"

anyway - we'll have a think
thx for the fix
JohnM
Posts: 472
Joined: 17 Feb 2009, 20:19

You can have multiple families, and shortly, we are going to extend the meta model to allow family hierarchies. That may help you but if not, if we can get the fuzzy matching working it should flag close matches and get over this issue.

We'll keep you posted
closch
Posts: 44
Joined: 09 Jan 2018, 14:30

More feedback

To get a match on wildcard version
Screenshot_1.png
had to put * value in the Technology Provider Version slot - rather than a numerical value
Screenshot_2.png
expectation: numerical versions would match any numerical version (as appropriate
You do not have the required permissions to view the files attached to this post.
colinfrewen
Posts: 67
Joined: 10 Dec 2013, 01:22
Location: Australia

Hi,

You have some grammatical errors in the report eg:
line 59:
<xsl:variable name="techProdListAsTableCatalogue" select="eas:get_report_by_name('Core: Technology Product Cataloigue as Table')"/>

Dosn't change the load routine but I thought you might want to know.

Regards
Colin

We love the report but have created versions that drop off version number and role to get the link back to technology_product quicker. It's a hack only.




JohnM wrote: 08 Jan 2020, 16:38 We've made some performance improvements and it seems to be a lot quicker now - we had the first file running in about 10 mins, we have that down to about 10 seconds on our data set now by taking a slightly different approach.

Re 'I can't get it to show anything in "Vulnerabilities" (i.e. match, vendor, product, and version)' . For a Technology_Product, e.g. Ubuntu Linux v11, you need a Product Family, e.g. Ubuntu Linux, a version for the Technology Product, e.g. 11.04 and a vendor for the product, e.g. Canonical - we'll get a video up on this shortly

Re the vendor view, yes, is limited to your vendors in the repo rather than everything as there are lots of products in the files that you won't have, so it can get quite noisy as a view. If you are looking at vendors you don't have the repo you can either add them as a vendor, or you should use the CVE database https://cve.mitre.org/.

We could put a link back to CVE in the NVD list if that would help. Also, there is more data in NVD we could add, if it would be useful then let us know as it's generally quick to add them, such as:
"attackVector" : "LOCAL",
"attackComplexity" : "LOW"

We caution that too much info could be overwhelming and this should be used as a pointer to issues, so it may be best leaving some things out, but views welcome.

John

core_el_security_posture.xsl.zip
JohnM
Posts: 472
Joined: 17 Feb 2009, 20:19

Thanks Colin, I'll get this logged.

Also, any chance you can share your version?

Thanks

John
xeonk
Posts: 12
Joined: 17 Sep 2019, 14:37

Protege.png
Hi John,

Many thanks for the update. I still got blank screen on "Vulnerabilities" view. However if I switch to "All", it show the same Vendor, Product and version as I entered in the Protege.

Attached is my input on Protege and the "All" view.

Appreciate your advise.

Thanks
You do not have the required permissions to view the files attached to this post.
colinfrewen
Posts: 67
Joined: 10 Dec 2013, 01:22
Location: Australia

Hi,

The All screen is only reading data from the cve file, the filter is then applied as a match and what is returned is the cve data with the impact as the link back to your actual data. Your data looks correct but in the cve file it excludes:

"cpe23Uri" : "cpe:2.3:a:sitecore:experience_platform:*:*:*:*:*:*:*:*",
"versionEndExcluding" : "9.1.1"

Try your version as 9.1.0 as your data looks correct. In order for the solution to work we use a table match that brings back cpe23URI view to ensure there is a table match. We have a custom form field (you can copy label but don't change lable and you need Supplier, Family, Version.

I think John said he would be creating a table at some point and use fuzzy matching. As a suggestion: We loaded the product family from the cve file and we modified the product family with a TYPE to use only the cve version or others we have loaded although we have been moving cve metadata as much as possible. Also: might look at linkages back to lifecycle and also a link to ensure impact is acknowledged and internal impact is noted.

Regards
Colin
You do not have the required permissions to view the files attached to this post.
xeonk
Posts: 12
Joined: 17 Sep 2019, 14:37

Hi Collin,

Thanks for the advise. Unfortunately I still have blank view after I changed the version to 9.1.0. I tried to put Canonical - Ubuntu Linux -12.04 as well in the Tech Product but it still show blank in the "Vulnerabilities" view. However it show the Canonical Ubuntu card in the "All" view.

I'm using the latest 6.8 metamodel but the instance viewer is still different than your screenshot.

Do I still missing something here?

Thanks.
colinfrewen
Posts: 67
Joined: 10 Dec 2013, 01:22
Location: Australia

Hi

Did you download the last version of the security posture report in the forum?

Colin
xeonk
Posts: 12
Joined: 17 Sep 2019, 14:37

Yes, already the latest xsl from this forum.

Is there any cache or temp file to clear? If not maybe some debugging tips to sort this out?

Thank you.
JohnM
Posts: 472
Joined: 17 Feb 2009, 20:19

I suspect it's your Product Family Name, if you use 'experience platform' rather than 'experience_platform' (the underscore is the issue) I think it should work. I've just replicated your issue and this was the issue.

Let me know if that works
xeonk
Posts: 12
Joined: 17 Sep 2019, 14:37

Thanks Colin, it works! So in summary the view is based on the "Affected Version" from the CVE file?

How about if the "Affected Version" is "No Information" but the "Version" is stated such Windows server 2008 with "version: r2"?

Thanks for the advise.
colinfrewen
Posts: 67
Joined: 10 Dec 2013, 01:22
Location: Australia

Hi,

If you paste an example to your last question. Our use case for interest. My CISO uses this report to report on our risks so we have focused on ensuring that the data matches across application provider, physical process, technology family, however:

We report on business risk! - we have modified report to show risk at a group actor level (users of the application provider that matches the risk across technology)
We use a heat map to overlay the match of the technology at risk with what we have in the organisation.
We have used some of the functionality from the duplication analysis report to match across the cve json and our applications.

Colin
closch
Posts: 44
Joined: 09 Jan 2018, 14:30

Hey Colin,

Sounds very interesting, are you able to provide a copy of the customisations?

Chris
colinfrewen
Posts: 67
Joined: 10 Dec 2013, 01:22
Location: Australia

Hi Chris,

I will check with the team if they have time to scrub. We are a government agency and my security and risk group use these reports as a direct publication. We use full integration to an active directory and we embed into each page a per user permissions view and usage analytics. These reports are especially customized as we have a direct link to actions we take to minimize or mitigate the link. Unfortunately when we customized we didnt use our standard reference to our custom packages and these all sit in the pages... Long answer: We have to re-cut the customization before we can share, even with other agency;'s within the government.

As an example:
The external auditors access these views from our primary systems (we call them crown jewels) but we have to give them a token that they use for one off access.

I will share as I have done in the past, when the guys clean them up.

Colin

NOTE: We customize every page but we generally use standard modules we embed as a reference. When there is a new Viewer with new reports we sometimes customize one or two reports and then go back and standardize.
closch
Posts: 44
Joined: 09 Jan 2018, 14:30

Hi Colin,

Understood, I can appreciate that may be no small undertaking - any effort is appreciated.

@EAS - We could really do with a custom view sharing repo where we can build on eachohers views.

Chris
JohnM
Posts: 472
Joined: 17 Feb 2009, 20:19

Thanks Chris,

The team are going to look into setting up a git repository, it's likely to be after the next release before they can look at this, so probably towards the end of next month. I'll keep you updated.

John
Post Reply