Hi,
Is there any guidance on how to show this cool new view?
Thanks
How to use the new view "Tech Security Vulnerability Analysis"
Hi,
Look at the Security Impact link here https://enterprise-architecture.org/howto.php.
Note: you have to make sure you are consistent with the NIST names, we're looking into how to simplify that, but for now it is a bit of a manual process looking at the NIST JSON structure - we suggest an exercise to do a one off data alignment then a process for updating new products as you bring them into the organisation
Look at the Security Impact link here https://enterprise-architecture.org/howto.php.
Note: you have to make sure you are consistent with the NIST names, we're looking into how to simplify that, but for now it is a bit of a manual process looking at the NIST JSON structure - we suggest an exercise to do a one off data alignment then a process for updating new products as you bring them into the organisation
Hi John,
Thanks for the response and happy new year 2020. After view hours of trying and viewing the XSL code, just realized that it needs the JSON spec v1.0 from NIST (the latest is version 1.1).
Have downloaded from https://static.nvd.nist.gov/feeds/json/ ... 9.json.zip, unzip and rename it to data.json in "user" folder (the unzipped version is around 289 Mb)
Have adjusted as well the "Technology Supplier", "Technology Product Family", and "Technology Provider Version" to the same information in the JSON file, however the view still show blank screen and only ".All" selection.
Is there any additional step that I might miss here.
Thanks
Thanks for the response and happy new year 2020. After view hours of trying and viewing the XSL code, just realized that it needs the JSON spec v1.0 from NIST (the latest is version 1.1).
Have downloaded from https://static.nvd.nist.gov/feeds/json/ ... 9.json.zip, unzip and rename it to data.json in "user" folder (the unzipped version is around 289 Mb)
Have adjusted as well the "Technology Supplier", "Technology Product Family", and "Technology Provider Version" to the same information in the JSON file, however the view still show blank screen and only ".All" selection.
Is there any additional step that I might miss here.
Thanks
Having the same problem, though i grabbed https://nvd.nist.gov/feeds/json/cve/1.1 ... 0.json.zip from https://nvd.nist.gov/vuln/data-feeds
uploaded the above as data.json (unzipped of course)
in the view I only get the option in 'Vendor' of .All
Testing this against a Tech product of "Windows 10" with Tech Provider Version "10" Family "Windows" Supplier "Microsoft"
Chrome F12 debug shows
could really do with a Youtube walkthrough Vid on this.
*EDIT* Adding the following to row 343 of core_el_security_posture.xsl allows me to see in web browser debug console that the productsJSON template is constructing "ok" example below
Note : Windows_10 and version "1709" are attempts to match the NIST format as per one entry "cpe23Uri" : "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*"
- yet still get the above error of Cannot read property 'vendor' of undefinednot case sensitive is it?
uploaded the above as data.json (unzipped of course)
in the view I only get the option in 'Vendor' of .All
Testing this against a Tech product of "Windows 10" with Tech Provider Version "10" Family "Windows" Supplier "Microsoft"
Chrome F12 debug shows
Code: Select all
Uncaught TypeError: Cannot read property 'vendor' of undefined
at report?XML=reportXML.xml&XSL=enterprise/core_el_security_posture.xsl&LABEL=Technology Security Vulnerability Analysis&cl=en-gb:1339
at Array.forEach (<anonymous>)
at doCompare (report?XML=reportXML.xml&XSL=enterprise/core_el_security_posture.xsl&LABEL=Technology Security Vulnerability Analysis&cl=en-gb:1338)
at Object.<anonymous> (report?XML=reportXML.xml&XSL=enterprise/core_el_security_posture.xsl&LABEL=Technology Security Vulnerability Analysis&cl=en-gb:1316)
at c (jquery-3.4.1.min.js:2)
at Object.fireWith [as resolveWith] (jquery-3.4.1.min.js:2)
at l (jquery-3.4.1.min.js:2)
at XMLHttpRequest.<anonymous> (jquery-3.4.1.min.js:2)
*EDIT* Adding the following
Code: Select all
{console.log(productsJSON);}Code: Select all
201:
appimpacts: []
busimpacts: []
id: "store_3_Class34072"
product: "Windows"
productName: "Windows_10"
vendor: "Microsoft"
version: "1709"
__proto__: Object
Note : Windows_10 and version "1709" are attempts to match the NIST format as per one entry "cpe23Uri" : "cpe:2.3:o:microsoft:windows_10:1709:*:*:*:*:*:*:*"
- yet still get the above error of Cannot read property 'vendor' of undefinednot case sensitive is it?
OK, we've worked out the issue, the JSON structure has recently changed, so the view won't work (they do say the JSON structure is beta). It's quite a significant change they have made so we are having to rewrite the view.
Apologies for that. We'll aim to get something out this week here and push it into the next release.
Apologies for that. We'll aim to get something out this week here and push it into the next release.
Ok, we've rewritten this, please treat this as early BETA. It has 3 tabs, one matches to exact products and versions you have in your repository, one to vendors you have in your repository, and the final one is hidden, if you click the button on the right hand side it adds a tab that has all the vendors and products in the loaded NVD file. You can check your repository data against this to make sure your families and products are named accordingly - we'll look into some fuzzy matching and also a simple way to load back into the repository at a later date.
You need to get the JSON files from here https://nvd.nist.gov/vuln/data-feeds#JSON_FEED, look under the JSON Feeds section. At the moment it's a bit manual, you will need to load in the files individually, we'll look at if we can do multiple files later, for now we suggest you run each file in as a one-off and check, then only run in modified files after that. You do need to rename the downloaded file to cvefile.json and put it in your user folder before you run the view.
Hopefully, that makes sense. Any feedback/ideas welcome, we will look to make this a little less manual, but it will give you an indication now as to any issues.
Any problems then let me know
John
You need to get the JSON files from here https://nvd.nist.gov/vuln/data-feeds#JSON_FEED, look under the JSON Feeds section. At the moment it's a bit manual, you will need to load in the files individually, we'll look at if we can do multiple files later, for now we suggest you run each file in as a one-off and check, then only run in modified files after that. You do need to rename the downloaded file to cvefile.json and put it in your user folder before you run the view.
Hopefully, that makes sense. Any feedback/ideas welcome, we will look to make this a little less manual, but it will give you an indication now as to any issues.
Any problems then let me know
John
You do not have the required permissions to view the files attached to this post.
Hi John,
Thanks for posting the update.
Running this updated view with https://nvd.nist.gov/feeds/json/cve/1.1 ... 9.json.zip as cvedata.json causes the webbrowser to hit 100% cpu and hang for... well it's not come back in 5 mins, so i'm going to say forever.
using it with
https://nvd.nist.gov/feeds/json/cve/1.1 ... t.json.zip (a much smaller file)
seems to work, but i can't get it to show anything in "Vulnerabilities" (i.e. match, vendor, product, and version) even when taking something from within the CVE file and adding it to the repo
it does seem to limit the vendor view to vendors we've got in our repo.
Thanks for posting the update.
Running this updated view with https://nvd.nist.gov/feeds/json/cve/1.1 ... 9.json.zip as cvedata.json causes the webbrowser to hit 100% cpu and hang for... well it's not come back in 5 mins, so i'm going to say forever.
using it with
https://nvd.nist.gov/feeds/json/cve/1.1 ... t.json.zip (a much smaller file)
seems to work, but i can't get it to show anything in "Vulnerabilities" (i.e. match, vendor, product, and version) even when taking something from within the CVE file and adding it to the repo
it does seem to limit the vendor view to vendors we've got in our repo.
We've made some performance improvements and it seems to be a lot quicker now - we had the first file running in about 10 mins, we have that down to about 10 seconds on our data set now by taking a slightly different approach.
Re 'I can't get it to show anything in "Vulnerabilities" (i.e. match, vendor, product, and version)' . For a Technology_Product, e.g. Ubuntu Linux v11, you need a Product Family, e.g. Ubuntu Linux, a version for the Technology Product, e.g. 11.04 and a vendor for the product, e.g. Canonical - we'll get a video up on this shortly
Re the vendor view, yes, is limited to your vendors in the repo rather than everything as there are lots of products in the files that you won't have, so it can get quite noisy as a view. If you are looking at vendors you don't have the repo you can either add them as a vendor, or you should use the CVE database https://cve.mitre.org/.
We could put a link back to CVE in the NVD list if that would help. Also, there is more data in NVD we could add, if it would be useful then let us know as it's generally quick to add them, such as:
"attackVector" : "LOCAL",
"attackComplexity" : "LOW"
We caution that too much info could be overwhelming and this should be used as a pointer to issues, so it may be best leaving some things out, but views welcome.
John
Re 'I can't get it to show anything in "Vulnerabilities" (i.e. match, vendor, product, and version)' . For a Technology_Product, e.g. Ubuntu Linux v11, you need a Product Family, e.g. Ubuntu Linux, a version for the Technology Product, e.g. 11.04 and a vendor for the product, e.g. Canonical - we'll get a video up on this shortly
Re the vendor view, yes, is limited to your vendors in the repo rather than everything as there are lots of products in the files that you won't have, so it can get quite noisy as a view. If you are looking at vendors you don't have the repo you can either add them as a vendor, or you should use the CVE database https://cve.mitre.org/.
We could put a link back to CVE in the NVD list if that would help. Also, there is more data in NVD we could add, if it would be useful then let us know as it's generally quick to add them, such as:
"attackVector" : "LOCAL",
"attackComplexity" : "LOW"
We caution that too much info could be overwhelming and this should be used as a pointer to issues, so it may be best leaving some things out, but views welcome.
John
You do not have the required permissions to view the files attached to this post.
Performance is much improved (it's working now 
and quicker than 10 secs )
There's definitely something different about how we use Tech Product and Tech Product family that we'll need to adapt - just having a think about what that means for us - might be too granular for our needs to map every version of product and then create family for each - we had families such as 'Oracle Java' and not 'Oracle Java 8' - equally we have things like "f5 BigIP" but dont go as far as "f5 big-ip advanced firewall manager, big-ip access policy manager, big-ip application acceleration manager"
anyway - we'll have a think
thx for the fix
and quicker than 10 secs )There's definitely something different about how we use Tech Product and Tech Product family that we'll need to adapt - just having a think about what that means for us - might be too granular for our needs to map every version of product and then create family for each - we had families such as 'Oracle Java' and not 'Oracle Java 8' - equally we have things like "f5 BigIP" but dont go as far as "f5 big-ip advanced firewall manager, big-ip access policy manager, big-ip application acceleration manager"
anyway - we'll have a think
thx for the fix
You can have multiple families, and shortly, we are going to extend the meta model to allow family hierarchies. That may help you but if not, if we can get the fuzzy matching working it should flag close matches and get over this issue.
We'll keep you posted
We'll keep you posted
More feedback
To get a match on wildcard version
had to put * value in the Technology Provider Version slot - rather than a numerical value
expectation: numerical versions would match any numerical version (as appropriate
To get a match on wildcard version
had to put * value in the Technology Provider Version slot - rather than a numerical value
expectation: numerical versions would match any numerical version (as appropriate
You do not have the required permissions to view the files attached to this post.
-
colinfrewen
- Posts: 67
- Joined: 10 Dec 2013, 01:22
- Location: Australia
Hi,
You have some grammatical errors in the report eg:
line 59:
<xsl:variable name="techProdListAsTableCatalogue" select="eas:get_report_by_name('Core: Technology Product Cataloigue as Table')"/>
Dosn't change the load routine but I thought you might want to know.
Regards
Colin
We love the report but have created versions that drop off version number and role to get the link back to technology_product quicker. It's a hack only.
You have some grammatical errors in the report eg:
line 59:
<xsl:variable name="techProdListAsTableCatalogue" select="eas:get_report_by_name('Core: Technology Product Cataloigue as Table')"/>
Dosn't change the load routine but I thought you might want to know.
Regards
Colin
We love the report but have created versions that drop off version number and role to get the link back to technology_product quicker. It's a hack only.
JohnM wrote: ↑08 Jan 2020, 16:38 We've made some performance improvements and it seems to be a lot quicker now - we had the first file running in about 10 mins, we have that down to about 10 seconds on our data set now by taking a slightly different approach.
Re 'I can't get it to show anything in "Vulnerabilities" (i.e. match, vendor, product, and version)' . For a Technology_Product, e.g. Ubuntu Linux v11, you need a Product Family, e.g. Ubuntu Linux, a version for the Technology Product, e.g. 11.04 and a vendor for the product, e.g. Canonical - we'll get a video up on this shortly
Re the vendor view, yes, is limited to your vendors in the repo rather than everything as there are lots of products in the files that you won't have, so it can get quite noisy as a view. If you are looking at vendors you don't have the repo you can either add them as a vendor, or you should use the CVE database https://cve.mitre.org/.
We could put a link back to CVE in the NVD list if that would help. Also, there is more data in NVD we could add, if it would be useful then let us know as it's generally quick to add them, such as:
"attackVector" : "LOCAL",
"attackComplexity" : "LOW"
We caution that too much info could be overwhelming and this should be used as a pointer to issues, so it may be best leaving some things out, but views welcome.
John
core_el_security_posture.xsl.zip
Hi John,
Many thanks for the update. I still got blank screen on "Vulnerabilities" view. However if I switch to "All", it show the same Vendor, Product and version as I entered in the Protege.
Attached is my input on Protege and the "All" view.
Appreciate your advise.
Thanks
Many thanks for the update. I still got blank screen on "Vulnerabilities" view. However if I switch to "All", it show the same Vendor, Product and version as I entered in the Protege.
Attached is my input on Protege and the "All" view.
Appreciate your advise.
Thanks
You do not have the required permissions to view the files attached to this post.
-
colinfrewen
- Posts: 67
- Joined: 10 Dec 2013, 01:22
- Location: Australia
Hi,
The All screen is only reading data from the cve file, the filter is then applied as a match and what is returned is the cve data with the impact as the link back to your actual data. Your data looks correct but in the cve file it excludes:
"cpe23Uri" : "cpe:2.3
sitecore:experience_platform:*:*:*:*:*:*:*:*",
"versionEndExcluding" : "9.1.1"
Try your version as 9.1.0 as your data looks correct. In order for the solution to work we use a table match that brings back cpe23URI view to ensure there is a table match. We have a custom form field (you can copy label but don't change lable and you need Supplier, Family, Version.
I think John said he would be creating a table at some point and use fuzzy matching. As a suggestion: We loaded the product family from the cve file and we modified the product family with a TYPE to use only the cve version or others we have loaded although we have been moving cve metadata as much as possible. Also: might look at linkages back to lifecycle and also a link to ensure impact is acknowledged and internal impact is noted.
Regards
Colin
The All screen is only reading data from the cve file, the filter is then applied as a match and what is returned is the cve data with the impact as the link back to your actual data. Your data looks correct but in the cve file it excludes:
"cpe23Uri" : "cpe:2.3
sitecore:experience_platform:*:*:*:*:*:*:*:*","versionEndExcluding" : "9.1.1"
Try your version as 9.1.0 as your data looks correct. In order for the solution to work we use a table match that brings back cpe23URI view to ensure there is a table match. We have a custom form field (you can copy label but don't change lable and you need Supplier, Family, Version.
I think John said he would be creating a table at some point and use fuzzy matching. As a suggestion: We loaded the product family from the cve file and we modified the product family with a TYPE to use only the cve version or others we have loaded although we have been moving cve metadata as much as possible. Also: might look at linkages back to lifecycle and also a link to ensure impact is acknowledged and internal impact is noted.
Regards
Colin
You do not have the required permissions to view the files attached to this post.
Hi Collin,
Thanks for the advise. Unfortunately I still have blank view after I changed the version to 9.1.0. I tried to put Canonical - Ubuntu Linux -12.04 as well in the Tech Product but it still show blank in the "Vulnerabilities" view. However it show the Canonical Ubuntu card in the "All" view.
I'm using the latest 6.8 metamodel but the instance viewer is still different than your screenshot.
Do I still missing something here?
Thanks.
Thanks for the advise. Unfortunately I still have blank view after I changed the version to 9.1.0. I tried to put Canonical - Ubuntu Linux -12.04 as well in the Tech Product but it still show blank in the "Vulnerabilities" view. However it show the Canonical Ubuntu card in the "All" view.
I'm using the latest 6.8 metamodel but the instance viewer is still different than your screenshot.
Do I still missing something here?
Thanks.
-
colinfrewen
- Posts: 67
- Joined: 10 Dec 2013, 01:22
- Location: Australia
Hi
Did you download the last version of the security posture report in the forum?
Colin
Did you download the last version of the security posture report in the forum?
Colin
-
colinfrewen
- Posts: 67
- Joined: 10 Dec 2013, 01:22
- Location: Australia
Hi,
If you paste an example to your last question. Our use case for interest. My CISO uses this report to report on our risks so we have focused on ensuring that the data matches across application provider, physical process, technology family, however:
We report on business risk! - we have modified report to show risk at a group actor level (users of the application provider that matches the risk across technology)
We use a heat map to overlay the match of the technology at risk with what we have in the organisation.
We have used some of the functionality from the duplication analysis report to match across the cve json and our applications.
Colin
If you paste an example to your last question. Our use case for interest. My CISO uses this report to report on our risks so we have focused on ensuring that the data matches across application provider, physical process, technology family, however:
We report on business risk! - we have modified report to show risk at a group actor level (users of the application provider that matches the risk across technology)
We use a heat map to overlay the match of the technology at risk with what we have in the organisation.
We have used some of the functionality from the duplication analysis report to match across the cve json and our applications.
Colin
-
colinfrewen
- Posts: 67
- Joined: 10 Dec 2013, 01:22
- Location: Australia
Hi Chris,
I will check with the team if they have time to scrub. We are a government agency and my security and risk group use these reports as a direct publication. We use full integration to an active directory and we embed into each page a per user permissions view and usage analytics. These reports are especially customized as we have a direct link to actions we take to minimize or mitigate the link. Unfortunately when we customized we didnt use our standard reference to our custom packages and these all sit in the pages... Long answer: We have to re-cut the customization before we can share, even with other agency;'s within the government.
As an example:
The external auditors access these views from our primary systems (we call them crown jewels) but we have to give them a token that they use for one off access.
I will share as I have done in the past, when the guys clean them up.
Colin
NOTE: We customize every page but we generally use standard modules we embed as a reference. When there is a new Viewer with new reports we sometimes customize one or two reports and then go back and standardize.
I will check with the team if they have time to scrub. We are a government agency and my security and risk group use these reports as a direct publication. We use full integration to an active directory and we embed into each page a per user permissions view and usage analytics. These reports are especially customized as we have a direct link to actions we take to minimize or mitigate the link. Unfortunately when we customized we didnt use our standard reference to our custom packages and these all sit in the pages... Long answer: We have to re-cut the customization before we can share, even with other agency;'s within the government.
As an example:
The external auditors access these views from our primary systems (we call them crown jewels) but we have to give them a token that they use for one off access.
I will share as I have done in the past, when the guys clean them up.
Colin
NOTE: We customize every page but we generally use standard modules we embed as a reference. When there is a new Viewer with new reports we sometimes customize one or two reports and then go back and standardize.
