1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
|
{% extends "base.html" %}
{% load static %}
{% load projecttags %}
{% load humanize %}
{% block title %} Guided Tour of SRTool {% endblock %}
{% block pagecontent %}
<div class="row">
<div class="col-md-7" style="padding-left: 50px;">
<h1>Guided Tour of the Security Response Tool (SRTool)</h1>
</div>
</div>
<div class="row" style="padding-left: 25px;">
<h2>Index</h2>
<ul>
<li> <a href="#goals">Goals</a></li>
<li> <a href="#basic">Basic Introduction</a></li>
<li> <a href="#public">Public View</a></li>
<li> <a href="#private">Private View</a></li>
<li> <a href="#management">Management</a></li>
</ul>
</div>
<div class="row" style="padding-left: 25px;">
<h3 id="goals">Goals</h3>
<ul>
<li> A common system to track and share security issues, combining community CVE's </li>
<li> A simple yet flexible interface for reporting and exploring the security issues </li>
<li> A place to upload and share attachments, including patches, fixes, emails, and documents </li>
<li> The ability to generate accurate and up-to-date reports and exports</li>
<ul>
<li> Status on a given CVE and its defects, for a specific product or for all affect products</li>
<li> Compliance reports on sensitive CVE's, for example the chain of events and who-knew-what-when</li>
<li> Status of each product, for the related CVE defects Compliance reports on sensitive CVE's, for example the chain of events and who-knew-what-when</li>
<li> Ability to easily export that data to spreadsheets and to the public CVE database </li>
</ul>
<li> The ability to securely store embargoed CVE's and data, complete with user protection and data encryption</li>
<li> Tools to help manage the ongoing influx of CVE's (around 1000 per month) so that expert time is not wasted and crucial CVE's are not lost </li>
<li> In general, a managed and automated tool set based on open source to replace splintered email threads and brittle manual systems</li>
</ul>
<p>
</div>
<div class="row" style="padding-left: 25px;">
<h3 id="basic">Basic Introduction</h3>
<ul>
<li> This demo's data set contains the integrated CVE, Defect, and Sustaining data for 'CVE-2015-*' to 'CVE-2018-*'</li>
<li> The title bar "<a href="/">SRTool:Security Response Tool</a>" will always link you back to the home page </li>
<li> In tables there are three ways to adjust the data set, and they can be used separately and/or together to get the best results </li>
<ul>
<li> <b>The search bar</b>: most of the text fields are searchable. Enter a value (<I>like 'meltdown'</I>), all records that have that string in those fields will appear</li>
<li> <b>The column sort</b>: all column titles that appear in blue can be used to sort using that column. Click a second time to reverse the sort</li>
<li> <b>The column filter</b>: when you click on the 'cone' symbol in a column title you can select a filter based on that column's data</li>
<li> At the bottom of each table you can set the page size and jump to diff pages </li>
</ul>
<li> The user access model is simulated in this demo </li>
<ul>
<li> By default you can see that you are logged in as "Guest" in the top right corner </li>
<li> If you click to log-in you can become a system admin, and can see the hidden management data tables </li>
<li> If you click again to log out, you will return to the 'Guest' account </li>
</ul>
<li> The top bar also includes general and page-specific tools actions, for example:</li>
<ul>
<li> <b>Export</b>: Generate and download an export or report</li>
<li> <b>New CVE or Vulnerability</b>: Create a new custmer CVE, or create a new exploratory Vulnerability</li>
<li> <b>Fetch alt data</b>: Fetch additional CVE data source data for a given CVE</li>
</ul>
</ul>
<p>
</div>
<div class="row" style="padding-left: 25px;">
<h3><a id="public"></a>Public View</h3>
<ul>
<li> <b><a href="{% url 'cves' %}">CVE's</a></b> </li>
<ul>
<li> The CVE page is based on the NIST public page, and includes the V3 and V2 severities information, download links, and CPE's</li>
<li> There are tabs to see (a) the original NIST source data, (b) alternate CVE sources, and (c) SRTool edits (if added)</li>
<li> At the top is a place for the internal tags to help lookups and track status </li>
<li> At the top is a place to see the publishing state. It can include future dates, plus a "Publish Now" button </li>
<li> The "New CVE" link createa a new custom local CVE record</li>
<li> The "Fetch alt data" link adds Mitre, Debian, and other data to this CVE</li>
<li> The "Export" link provides CVE specific reports</li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'vulnerabilities' %}">Vulnerabilities</a></b> </li>
<ul>
<li> Vulnerability records track the <b>overall status</b> of CVE (or a group of tightly related CVE's) </li>
<li> Multiple related CVE's can be attached </li>
<li> Multiple Investigations can be attached, one per product </li>
<li> Comments and attachments can be added by logged-in users (for traceability)</li>
<li> Users can sign up for change notification emails </li>
<li> Vulnerabilities can be public, or locked to an invitation-only list of users</li>
<li> The "Edit Status ..." button allow changes to the fields like the status, priority, comments</li>
<li> The "Create Notification..." button is for notifying owners of status changes for the record</li>
<li> The "Delete" button is for deleting this record</li>
<li> The "Add product ..." button is for attaching a product and creating a respective Investigation record</li>
<li> The "New Vulnerabilities" link createa a new vulnerability record</li>
<li> The "Export" link provides Vulnerability specific reports</li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'investigations' %}">Investigations</a></b> </li>
<ul>
<li> Investigation records track the status of a CVE for a <b>given product</b> </li>
<li> Multiple defect links can be attached </li>
<li> Comments and attachments can be added by logged-in users </li>
<li> Users can sign up for change notification emails </li>
<li> Investigation can be public, or locked to a controlled list of users</li>
<li> The "Edit Status ..." button allow changes to the fields like the status, priority, comments</li>
<li> The "Create Notification..." button is for notifying owners of status changes for the record</li>
<li> The "Delete" button is for deleting this record</li>
<li> The "Export" link provides Investigation specific reports</li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'defects' %}">Defects</a></b> </li>
<ul>
<li> This table lists all of the defects being tracked by the Vulnerabilities and Investigations </li>
<li> A quick status overview of the defects is provided </li>
<li> A quick summary page per defect is provided, with a link to the actual defect </li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'products' %}">Products</a></b> </li>
<ul>
<li> Products tracked in this tool </li>
<li> Access to each product's Vulnerabilities, Investigations, and Defects</li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'cpes' %}">Package CPE's</a></b> </li>
<ul>
<li> This table tracks the packages that have been identified as vulnerable</li>
<li> It also maps this package to the affected CVE's, Vulnerabilities, Investigations, and finally the related defects </li>
<li> This data can help assist in CVE triage and risk analysis </li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'cwes' %}">CWE's</a></b> </li>
<ul>
<li> The 'Common Weakness Enumerations' (CWE) found in the vulnerable CVE records </li>
<li> These fundamental weaknesses are also tracked in this table to the related CVE's </li>
</ul>
</ul>
<p>
</div>
<div class="row" style="padding-left: 25px;">
<h3 id="private">Private View</h3>
<ul>
<li> <b><a href="{% url 'cves' %}">Private CVE's, Vulnerabilies, Investigations</a></b> </li>
<ul>
<li> When a CVE is still under embargo, its information must be kept private</li>
<li> The SRTool has the ability to mark a CVE and its Vulnerabilies and Investigations private</li>
<li> A private CVE has a user access list of whom is allowed to view the records</li>
<li> Once a CVE is made public, then it can be unlocked, and defects can be generated</li>
<li> This feature will be released soon</li>
</ul>
</ul>
</ul>
<p>
</div>
<div class="row" style="padding-left: 25px;">
<h3 id="private">User Accounts</h3>
<ul>
<li> <b><a href="{% url 'login' %}">Logging into the SRTool system</a></b> </li>
<ul>
<li> By default, the SRTool is accessed by the anonymous "Guest" account, which provides general read-only access</li>
<li> You can click "Request Account" to directly create your own new Guest account<li>
<li> To obtain write access, the user must make a request to one of the system's administrators</li>
<li> The user access levels are:</li>
<ul>
<li> <b>Reader</b>: User that can read the content (Field, TechPubs)</li>
<li> <b>Contributor</b>: Reader that can can add notes and attachements (Engineers, Test, Managers)</li>
<li> <b>Creator</b>: Contributor that can create Investiations and defect records </li>
<li> <b>Admin</b>: Creator that can manage users, data sources</li>
</ul>
</ul>
</ul>
</ul>
<p>
</div>
<div class="row" style="padding-left: 25px;">
<h3 id="management">Management</h3>
<ul>
<li> <b>Logging in</b> </li>
<ul>
<li> When you log-in as a qualified user, you get access to the Edit and Management functions</li>
<li><i>NOTE: if you are <u>not</u> logged in as a qualified user, all of the below links will automatically redirect to the home page</i></li>
</ul>
<p>
<li> <b>Edit, Attached, Comments, Notifications</b> </li>
<ul>
<li> In the various records, new buttons and icons appear to allow you to create and edit the content, for example: </li>
<ul>
<li>Uploading (and deleting) attachments</li>
<li>Adding comments</li>
<li>Adding email notification registration for changes</li>
<li>Adding todo notifications</li>
</ul>
</ul>
<p>
<li> <b><a href="{% url 'manage' %}">Management Page</a></b> </li>
A 'Management' button appears on the home page when an admin is logged in, and provides the following features.
<ul>
<li> <a href="{% url 'triage_cves' %}">Triage CVE's</a>: Tools to bulk manage the CVE's, for example the new incoming</li>
<ul>
<li> <a href="{% url 'select-cves' %}"> CVE Filtering</a>: view to filter, select, and bulk assign CVE's </li>
<li> <a href="{% url 'package-filters' %}"> Triage Package Filtering Keywords </a>: managed keywords to help pre-qualify the CVE's </li>
</ul>
<li> <a href="{% url 'manage_notifications' %}">Pending Notifications</a>: Triage/email the pending notifications</li>
<li> <a href="{% url 'manage_report' %}">Summary Reports</a>: general reports the overall system status </li>
<li> <a href="{% url 'publish' %}">Publish Requests</a>: manage the items that are ready to be published </li>
<li> <a href="{% url 'users' %}">Manage Users</a>: view the user list, add and remove users, adjust their permissions </li>
<li> <a href="{% url 'sources' %}">Manage Sources</a>: view the data source lists, their incremental update policies, and trigger manual updates </li>
</ul>
<p>
<li> <b><a href="{% url 'manage' %}">Triage CVE Page</a></b> </li>
The triage CVE page as several workflow features.
<ul>
<li> The "Reasons For" and "Reasons Against" columns match the keyword filters against the CVE</li>
<li> The "Recommendation" column (and its filter) score the CVE according to the keyword filters</li>
<li> The "Search" feature can be used to select against keywords</li>
<li> The "Select" and "Un-select" buttons can be combined with manual selects to isolate the desired CVE set</li>
<ul>
<li> Note that only the CVEs visible on the current page are selected/un-selected, to prevent side effects to un-observed CVEs</li>
</ul>
<li> The "Not Vulnerable" button can be used to moved CVEs from "New" to "Not Vulnerable" </li>
<ul>
<li> The "Reason" field can capture the reason this CVE set are not vulnerabilities </li>
<li> The "We do not ship ..." checkbox can accordingly preface the "reason" field </li>
</ul>
<li> The "Vulnerable" button can be used to move CVEs from "New" to "Vulnerable", with respective Vulnerability records created</li>
<ul>
<li> The "Reason" field can capture the reason this CVE set are vulnerabilities </li>
<li> The "Vulnerable Products" list can be used to create Investigations against those products</li>
<li> The "Priority" field sets the vulnerability severity as per the organization</li>
<li> The "Group" option can be used to gather the CVE set into one vulnerability, instead of one per CVE</li>
<li> The "Create Defect" option can be used to automatically create a defect record for the respective product investigations</li>
</ul>
<li> History entries will be automatically created for triaged CVE's, Vulnerabilities, and Investigations</li>
</ul>
</ul>
<p>
</div>
{% endblock %}
|
