Hello? Is this thing on? *ehem* Hello Security Streeters this is my first time writing for the Security street blogs and I’m surprised I haven’t done so in the past given that I’ve earned the nickname in Rapid7 as being the Nexpose and metasploit “troublemaker”; however, let’s leave the troublemaking in the backseat for now and talk about a new and exciting feature that’s coming out with Nexpose 5.5 featuring (among other goodies) a brand new reporting engine!
During our internal rapid7 report hackathon a few weeks before the launch of Nexpose 5.5 we talked about ideas and needs that users of Nexpose would ask us during conversations, evaluations and face to face conversations at conferences and, being part of the Security Solutions team means that I have firsthand interaction with users and prospective clients about what they feel they truly need when it comes to handling the copious amount of data coming from Nexpose.
One of those needs is very simple yet very straightforward: An OWASP Top 10 Vulnerability report. Why do we need to know about this? Well, studies have uncovered that when it comes to attacks SQL injection is the second most discussed amongst hackers and attackers after a DDoS, placing it as the number one web application vulnerability according to OWASP. We can definitely build firewalls to protect our internal networks and filter packets going inside our systems, but when your web applications are leaking information, an attacker can get out with a lot of data: credit card, social security, credentials for other internal systems among other pieces of loot.
So really figuring out what kind of OWASP vulnerabilities are inside a web application is critical and – if you’re not the developer – delegating to those who aren’t Security savvy the information in a format they can understand is very important. Thankfully, with the new reporting engine in Nexpose we can access this information and relate every single vulnerability in the OWASP category with vulnerabilities reported by Nexpose advanced web spider in our web applications. The report looks something like this:
An OWASP Top 10 Vulnerability report that shows every single host, the severity of each one of them, the title, and the path to it! This way for example we can see across all of our web servers and web applications how many of them are vulnerable to SQL Injection or Cross-Site Scripting and how severe they are in leaking data or allowing attackers into our database and systems.
The new reporting capabilities in Nexpose 5.5 are really exciting and allow us to create and tailor new reports to meet client needs in a very fast and efficient way. This particular one with its localization to Spanish is included below in the attachment section, all ready to be downloaded and uploaded into your installation of Nexpose 5.5. Stay tuned, I'll be making more reports so feel free to share your ideas on what you want to see in one!