What is the purpose of custom findings?
In Nucleus, users have the ability to upload vulnerability scans and manage those vulnerabilities in a clean UI that's easy to use and with full tracking through the vulnerability lifecycle of collaboration, automation, etc. However, a big part of vulnerability management is also being able to manage manual penetration tests and other generic vulnerability findings.
This is because vulnerability scanning by itself is not the full picture. For a full-scope vulnerability management program, it is necessary to look at findings that exist from penetration tests, manual assessments, or just generic findings.
Custom findings in Nucleus allows a user to easily bring in their vulnerabilities from manual penetration tests, as well as to allow their penetration testing teams the ability to add findings directly to assets in the Nucleus platform, without having to put together a PDF report and email. A penetration tester can go in and consolidate his or her manual findings with vulnerability scan results easily and efficiently.
The next section will describe how custom findings are managed within Nucleus.
How it works - High level
Nucleus uses a findings templates library in order to make the management of manual vulnerabilities easier.
Every client of Nucleus gets their own custom finding templates library, which they can populate with templates to be used across the entire organization, across projects, team, etc.. The templates from the library can then be used to pre-populate data when creating findings to reduce the manual work.
Library: This is where all the templates are stored in Nucleus. you can find this page by navigating to Global Dashboard > Finding Templates
Template: This is a vulnerability template that contains high-level information about a vulnerability. A template is used to pre-populate data when creating an actual finding within a project in order to reduce the manual work.
- EX: You create a template for XSS. Then every time you create an XSS finding in a project you can use the pre-populated data from the template as opposed to having to paste in the description, solution, severity into the finding every time you want to report on an XSS finding
Finding: This is what we use to define the creation of an Instance of a vulnerability. This is pre-populated with data from a template when you are creating a finding.
- EX: All vulnerabilities listed in the "Active Vulnerabilities List" (Project Dashboard > Vulnerabilities > Active) is considered a finding. Once a finding has been created from a template, it will show up here as well.
The process works like this:
- Add a template with the high level finding information (Description, Generic Solution, etc)
- This template can now be used across all your Nucleus projects and all your assets, so to add a finding to an asset, navigate to either the Active Vulnerabilities List, or an Asset Details Page, and click "Add Custom Finding"
- The template is used to populate as much information about the finding itself as possible, so all you have to fill in when adding the finding to an asset is the asset-specific information (which is all optional), such as HTTP Request and Response, Reproduction Steps, affected code snippet, etc.
You can use the same template as many times as you would like, and add it to as many assets as you would like. This reduces the amount of work and copy/paste necessary to manage vulnerabilities.
The best part? If that finding shows up in another assessment, it is already there, so no copying or pasting necessary. No more PDF reports, consolidating into CSV files, etc. Everything can be contained and managed within Nucleus.
Additionally, Nucleus comes pre-built with packs of vulnerability templates, which will automatically create common findings from penetration tests. Be on the lookout in the descriptions for these templates, as we have some special descriptions for you!
How it works - Example
We learn better by doing, so let's walk through an example of how you would use a custom finding.
I want to create a SQL Injection Vulnerability on 3 different applications contained in Nucleus. 2 are contained in Project A, and 1 is contained in Project B.
To create the custom finding on the assets in Project A, I would do the following:
1. Navigate to the findings library (Global Dashboard > Finding Templates)
2. SQL Injection is a pre-built template, based on OWASP Top 10, so you can find it in the templates. If you wanted to create your own template for SQL Injection, click + Add Finding Template. If you want to create your own template, go to step 3. If not, skip to step 4.
3. Enter in the following information (Required) and click Save:
- Finding Name: This is the name of the template and the name of the finding when it is created
- Finding Type: This is important when creating an instance of a finding.
- Default Severity: This is the severity of the finding when you create it. This can be edited later.
4. Navigate into the Active Vulnerabilities List in Project A (Project Dashboard > Vulnerabilities > Active)
5. Click + Add Custom Finding
6. Select your template from the list. In this case, I picked "Injection". Click Next.
7. Select the asset which is affected by that template from the list and click Next.
Note: You can only add one asset at a time to a finding. We found this process was much more accurate and less prone to errors when adding finding details to one asset at a time rather than trying to do too much at once.
8. Enter in any of the information you would like on the screen. We recommend entering the affected URL so you can differentiate the findings in Nucleus, in case an Injection vulnerability shows up in multiple places on the same asset.
- Ex: SQL Injection on both:
9. Click Save & Finish
The instance of that vulnerability has now been created! For all future SQL Injection vulnerabilities, you can skip steps 1-4 and just enter in the template, affected asset, and asset details.
I can do the same for any assets in Project B as well.
Once the finding is created, you can manage it as if it were any other vulnerability found by a vulnerability scanning tool. You have effectively built-in manual assessment findings to your Nucleus instance and in your workflow!