Risk Based Security VulnDB

Risk Based Security (RBS) provides detailed information and analysis on Vulnerability Intelligence, Data Breaches, and Vendor Risk Ratings. Our products, VulnDB and Cyber Risk Analytics (CRA), provide organizations access to the most comprehensive vulnerability and vendor risk knowledge bases available, including advanced search capabilities, access to raw data via RESTful API, and email alerting to assist organizations in taking the right actions in a timely manner.

VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that developers use to build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on both vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.

Release history

Last updated: February 2019

Solution summary

When a new vulnerability is disclosed, organizations need to know if and where they are impacted without having to do a vulnerability scan of their environment. VulnDB contains over 65,000 additional vulnerabilities not found in the frequently relied-upon Common Vulnerabilities and Exposures (CVE) database and a much higher degree of information for each vulnerability, providing the richest, most complete vulnerability intelligence available. VulnDB helps customers better address points of risk across their organization – from application development and IT infrastructure management to security operations, vendor risk management, and procurement.

Instead of relying on legacy vulnerability scanning, the VulnDB integration with Archer allows organizations to easily map vulnerability data to the assets and vendors in their environment and quickly identify if a newly disclosed vulnerability will impact them. Armed with this insight, organizations can efficiently prioritize and plan remediation activities, and also quickly identify relevant vulnerability data during security incident response activities.

Benefits

  • Access to a richer and more timely pool of vulnerability intelligence than is available from CVE/NVD and other sources.

  • Insight into vulnerabilities that could pose risk to an organization without the need for an additional vulnerability scan.

  • Ability to more effectively and efficiently prioritize vulnerabilities to be remediated.

Partner Integration Overview

Archer Solution

IT Security Vulnerabilities Program

Archer Use Case

IT Security Risk Management

Archer Applications

Vulnerability Library

Uses Custom Application

No

Requires On-Demand License

No

Prerequisites

A subscription to VulnDB with the API access feature is required to use the VulnDB Data Feed for Archer ITSVP.

In addition, the Archer Vulnerability Library application is required for installation and operation of the VulnDB Data Feed for the Archer IT Security Vulnerabilities Program use case. This application is the target for the data feed from VulnDB.

Partner product configuration

Before you begin 

This section provides instructions for configuring the VulnDB Data Feed for the Archer IT Security Vulnerabilities Program use case. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

All VulnDB components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.

VulnDB and VulnDB XML Utility for Archer configuration

Data is retrieved from VulnDB and made available for import into Archer by a Python script (the “VulnDB XML Utility for Archer”). The script implements the following functionality:

  • Periodically fetch vulnerabilities from the VulnDB API periodically and in incremental fashion. When the script begins to run, the entire vulnerability history from VulnDB is downloaded into a set of XML files. This process can take several hours to complete. After the initial download, the utility periodically fetches new and updated vulnerabilities from VulnDB and stores those in additional XML files.

  • Provides a configuration file in which VulnDB access credentials, XML file destination location, and data update intervals are specified, among other things.

The following steps must be taken to configure the VulnDB XML Utility for Archer and make data available for import into Archer using the Data Feed Manager:

  1. Create VulnDB API access credentials following the instructions in the VulnDB Portal Guide. Download the “VulnDB XML Utility for Archer” from the RBS Support portal at https://riskbased.zendesk.com/hc/en-us/articles/360017443074.

  2. Follow the instructions in the README.md file in the download package to install and configure the VulnDB XML Utility for Archer. The XML file destination location must be accessible by the Archer instance. The destination must also be a subdirectory of the Home Directory specified for the Archer instance in the Data File Management section of the Data Feed settings in the Archer Control Panel.

    Note: Be sure to change the show_cvss_v3 and package_info parameters to True if those data elements are of interest to your organization.

Archer configuration

Prerequisites

Components

Recommended Software

Archer

Archer 6.4 SP1 or later

Archer Applications

Vulnerability Library (Archer IT Security Vulnerabilities Program use case)

Also, download the following component from the Archer Exchange:

File Name

Description

VulnDB.dfx5

Data feed to import information from Risk Based Security’s VulnDB vulnerability intelligence feed

Configuration overview

A variety of customizations to the Vulnerability Library application are required to support the VulnDB Data Feed for Archer ITSVP. First, Sub-Forms are created to organize the custom fields needed to house the VulnDB data, then the actual data fields are created in the Vulnerability Library application, and the layout of the fields on the application form is configured. Finally, the actual feed is configured to consume the VulnDB data and store it in the fields created.

Creating custom sub-forms and associated fields

Note: 8 Custom Sub-Forms are required.

  1. Within Archer, navigate to Application Builder > Sub-Forms

  2. Click Add New to create a new Sub-Form.

  1. Select Create a new Sub-Form from scratch.

  2. Enter “VulnDB Affected Products” as the name of the form and click OK.

  1. On the Fields tab of the form that opens, select Add New.

  2. Select Create a new field from scratch, choose Text as the type, and click OK.

  1. Enter “CPE” for the Name of the field and click Save.

  2. Repeat adding fields per the table below to create all eight Sub-Forms and the associated custom Fields.

    Note: Fields of type “Date” should be specified as Text Box – Date and Time in the Display Control section of the Options tab when creating those fields.

Table 1: Custom VulnDB sub-forms and associated fields

Sub-Form

Field Name / Type

VulnDB Affected Products

CPE / Text

Product Name / Text

Vendor Name / Text

Version / Text

VulnDB Product ID / Numeric

VulnDB Vendor ID / Numeric

VulnDB Version ID / Numeric

VulnDB Classifications

Description / Text

ID / Numeric

Long Name / Text

Name / Text

VulnDB Credits

Name / Text

VulnDB CVSSv2 Metrics

Access Complexity / Text

Access Vector / Text

Authentication / Text

Availability Impact / Text

Calculated Base Score / Numeric

Confidentiality Impact / Text

CVE ID / Text

Generated On / Date

ID / Numeric

Integrity Impact / Text

Score / Numeric

Source / Text

VulnDB CVSSv3 Metrics

Attack Complexity / Text

Attack Vector / Text

Availability Impact / Text

Calculated Base Score / Numeric

Confidentiality Impact / Text

CVE ID / Text

Generated On / Date

ID / Numeric

Integrity Impact / Text

Privileges Required / Text

Scope / Text

Score / Numeric

Source / Text User

Interaction / Text

VulnDB Non-Affected Products

CPE / Text

Product Name / Text

Vendor Name / Text

Version / Text

VulnDB Product ID / Numeric

VulnDB Vendor ID / Numeric

VulnDB Version ID / Numeric

VulnDB Package Data

Operator / Text OS / Text

OS Architecture / Text

OS Version / Text

Package File Name / Text

Package Name / Text

Package Version / Text

VulnDB References

Type / Text

Value / Text

Creating other custom fields

  1. Within Archer, navigate to Application Builder > Applications.

  2. Click Vulnerability Library.

  3. Click the Fields tab.

  4. Add custom fields corresponding to the Sub-Forms created previously. For each field, set the type to “Sub-Form”, specific the corresponding Sub-Form on the General tab, and add the display fields and sort order on the Options tab.

Table 2: Custom vulnerability library sub-form fields

Field Name

Type

Display Fields

Sort Order

VulnDB Affected Products

Sub-Form

  • Vendor Name

  • Product Name

  • Version

  • CPE

  1. CPE – Ascending

  2. Version - Descending

VulnDB Classifications

Sub-Form

  • Long Name

  • Description

  1. Long Name – Ascending

  2. Description - Ascending

VulnDB Credits

Sub-Form

  • Name

1. Name - Ascending

VulnDB CVSSv2 Data

Sub-Form

  • Source

  • Calculated Base Score

  • Score

  • Access Vector

  • Access Complexity

  • Authentication

  • Confidentiality Impact

  • Integrity Impact

  • CVE ID

  • Generated On

  1. Source - Descending

  2. Generated On - Descending

VulnDB CVSSv3 Data

Sub-Form

  • Source

  • Attack Vector

  • Attack Complexity

  • Score

  • Calculated Base Score

  • Privileges Required

  • User Interaction

  • Scope

  • Confidentiality Impact

  • Integrity Impact

  • Generated On

  1. Source - Descending

  2. Generated On - Descending

VulnDB Non-Affected Products

Sub-Form

  • Vendor Name

  • Product Name

  • Version

  • CPE

  1. CPE – Ascending

  2. Version - Descending

VulnDB Package Data

Sub-Form

  • OS

  • OS Version

  • OS Architecture

  • Package Name

  • Operator

  • Package Version

  • Package File Name

  1. Package File Name – Ascending

  2. Package Version - Descending

VulnDB References

Sub-Form

  • Type

  • Value

As desired

Add the following custom fields with the indicated types. Again, note that fields of type “Date” should be specified as Text Box – Date and Time in the Display Control section of the Options tab when creating those fields.

Table 3: Custom vulnerability library fields – other

Field Name

Type

VulnDB Disclosure Date

Date

VulnDB Discovery Date

Date

VulnDB Exploit Publish Date

Date

VulnDB Keywords

Text

VulnDB Last Modified Date

Date

VulnDB Publish Date

Date

VulnDB Solution Date

Date

VulnDB Third Party Solution Date

Date

VulnDB Vendor Ack Date

Date

VulnDB Vendor Inform Date

Date

Configuring the layout

Before the VulnDB-specific fields can be displayed in Archer, they need to be added to the Vulnerability Library application layout.

  1. Within Archer, navigate to Application Builder > Applications.

  2. Click Vulnerability Library.

  3. Click the Layout tab

  4. Click the New tab on the Default Tab Set section and enter VulnDB for the name where prompted.

  5. Add a section called “Vulnerability Timeline” by clicking Add New Layout Object, dragging Add Section to the VulnDB tab, and entering the name when prompted.

  6. Add a section called “Other VulnDB Information” by clicking Add New Layout Object, dragging Add Section to the VulnDB tab, and entering the name when prompted.

  7. Drag the various VulnDB Sub-Form fields onto the VulnDB tab as shown in Figure 1 below.

  8. Drag the remaining VulnDB custom fields into the appropriate section on the VulnDB tab as shown in Figure 1 below.

  9. Arrange the Sub-Forms and Sections as shown in Figure 1.

Figure 1: VulnDB tab layout

Import the data feed file

You will need to import and configure the VulnDB data feed file downloaded earlier. To import the feed file, perform the following steps:

  1. In Archer, go to Integration > Data Feeds. Under Manage Data Feeds, Import the VulnDB.dfx5 file downloaded earlier.

  2. Update the following settings on the General Information tab:

    Field

    Value

    Status

    Active

    Target

    Vulnerability Library

    User Name

    userArcherDataFeedService (or other Archer account)

  3. Update the following settings on the Transport tab:

    1. Set the Transport Method to “File Transporter”

    2. Set the Path to “VulnDBXMLFilePath”\*.xml, where “VulnDBXMLFilePath” is the folder or share that the VulnDB Utility script is configured to store XML files. See the “VulnDB and VulnDB Utility Configuration” section earlier in this document for more information.

    3. Under Post-Processing > On Success: select “Rename”, and enter the following for the Destination Filename: {DataFileDirectoryName}\success\{DataFileName}_{Now(MM.dd.yyyy)}.{DataFileExtension}

  4. On the Navigation tab, make sure “XML File Iterator” is selected as the Navigation Method.

  5. Review the mappings on the Data Map tab. Consult Appendix A for more information on the predefined and recommended field mappings, including the key field definition.

  6. On the Schedule tab:

    • Notice that the default is set to once a day

    • Make any changes to the schedule that you’d like

    • Click Start to pull in content immediately (optional)

  7. Save the feed.

Certification environment

Date tested: February 2019

Product Name

Version Information

Operating System

Archer

6.5

Virtual Appliance

VulnDB