1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
{% extends "base.html" %}
{% load static %}
{% load projecttags %}
{% load humanize %}
{% block title %} Guided Tour of SRTool {% endblock %}
{% block pagecontent %}
<div class="row">
<div class="col-md-7" style="padding-left: 50px;">
<h1>Guided Tour of the Security Response Tool (SRTool)</h1>
</div>
</div>
<div class="row" style="padding-left: 25px;">
<h2>Index</h2>
<ul>
<li> <a href="#goals">Goals</a></li>
<li> <a href="#basic">Basic Introduction</a></li>
<li> <a href="#public">Public View</a></li>
<li> <a href="#private">Private View</a></li>
<li> <a href="#management">Management</a></li>
</ul>
</div>
<div class="row" style="padding-left: 25px;">
<h3><a id="goals"></a>Goals</h3>
<ul>
<li> A common system to track and share security issues, combining community CVE's </li>
<li> A simple yet flexible interface for reporting and exploring the security issues </li>
<li> A place to upload and share attachments, including patches, fixes, emails, and documents </li>
<li> The ability to generate accurate and up-to-date reports and exports</li>
<ul>
<li> Status on a given CVE and its Jira defects, for a specific product or for all affect products</li>
<li> Compliance reports on sensitive CVE's, for example the chain of events and who-knew-what-when</li>
<li> Status of each product, for the related CVE defects Compliance reports on sensitive CVE's, for example the chain of events and who-knew-what-when</li>
<li> Ability to easily export that data to spreadsheets and to the public CVE database </li>
</ul>
<li> The ability to securely store embargoed CVE's and data, complete with user protection and data encryption</li>
<li> Tools to help manage the ongoing influx of CVE's (around 1000 per month) so that expert time is not wasted and crucial CVE's are not lost </li>
<li> In general, a managed and automated tool set based on open source to replace splintered email threads and brittle manual systems</li>
</ul>
<p>
</div>
<div class="row" style="padding-left: 25px;">
<h3><a id="basic"></a>Basic Introduction</h3>
<ul>
<li> This demo's data set contains the integrated CVE, Jive, and Sustaining data for 'CVE-2017-*' and 'CVE-2018-*' (11,630 CVE's to date) </li>
<li> The title bar "<a href="/">SRTool:Security Response Tool</a>" will always link you back to the home page </li>
<li> In tables there are three ways to adjust the data set, and they can be used separately and/or together to get the best results </li>
<ul>
<li> <b>The search bar</b>: most of the text fields are searchable. Enter a value (<I>like 'meltdown'</I>), all records that have that string in those fields will appear</li>
<li> <b>The column sort</b>: all column titles that appear in blue can be used to sort using that column. Click a second time to reverse the sort</li>
<li> <b>The column filter</b>: when you click on the 'cone' symbol in a column title you can select a filter based on that column's data</li>
<li> At the bottom of each table you can set the page size and jump to diff pages </li>
</ul>
<li> The user access model is simulated in this demo </li>
<ul>
<li> By default you can see that you are logged in as "Guest" in the top right corner </li>
<li> If you click to log in, you will automatically become a system admin and can see the hidden management and data tables </li>
<li> If you click again to log out, you will return to the 'Guest' account </li>
</ul>
<li> In the top bar is a "Tools" button, which includes actions for the current page</li>
<ul>
<li> <b>Report ...</b>: Generate and download a report</li>
<li> <b>Export ...</b>: Generate and download an export</li>
<li> <b>Edit ...</b>: Edit the information (if you have access)</li>
</ul>
</ul>
<p>
</div>
<div class="row" style="padding-left: 25px;">
<h3><a id="public"></a>Public View</h3>
<ul>
<li> <b><a href="{% url 'cves' %}">CVE's</a></b> </li>
<ul>
<li> The CVE page is based on the NIST public page, and includes the V3 and V2 severities information, download links, and CPE's</li>
<li> There are tabs to see (a) the original source data and (b) the SRTool edits (if any)</li>
<li> At the top is a place for the internal tags to help lookups andn track status </li>
<li> At the top is a place to see the publishing state. It can include future dates, plus a "Publish Now" button </li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'vulnerabilities' %}">Vulnerabilities</a></b> </li>
<ul>
<li> Vulnerability records track the <b>overall status</b> of CVE (or a group of tightly related CVE's) </li>
<li> Multiple CVE's can be attached </li>
<li> Multiple Investigations can be attached, one per product </li>
<li> Comments and attachments can be added by logged-in users (for traceability)</li>
<li> Users can sign up for change notification emails </li>
<li> Vulnerabilities can be public, or locked to an invitation-only list of users</li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'investigations' %}">Investigations</a></b> </li>
<ul>
<li> Investigation records track the status of a CVE for a <b>given product</b> </li>
<li> Multiple Jive links can be attached </li>
<li> Comments and attachments can be added by logged-in users </li>
<li> Users can sign up for change notification emails </li>
<li> Investigation can be public, or locked to a controlled list of users</li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'defects' %}">Defects</a></b> </li>
<ul>
<li> This table lists all of the Jira defects being tracked by the Vulnerabilities and Investigations </li>
<li> A quick status overview of the defects is provided </li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'products' %}">Products</a></b> </li>
<ul>
<li> Products tracked in this tool </li>
<li> Access to each product's Vulnerabilities, Investigations, and Defects</li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'cpes' %}">CPE's</a></b> </li>
<ul>
<li> The 'Common Product Enumerations' (CPE) found in the vulnerable CVE records </li>
<li> This data can help track CPE's that result in vulnerabilities, to help improve triaging CVE's </li>
</ul>
</ul>
<ul>
<li> <b><a href="{% url 'cwes' %}">CWE's</a></b> </li>
<ul>
<li> The 'Common Weakness Enumerations' (CWE) found in the vulnerable CVE records </li>
</ul>
</ul>
<p>
</div>
<div class="row" style="padding-left: 25px;">
<h3><a id="private"></a>Private View</h3>
<p><i>NOTE: if you are <u>not</u> logged in as a qualified user, all of the below links will automatically redirect to the home page</i>.
<ul>
<li> <b>Embargoed Data</b> </li>
<ul>
<li> When you 'log-in' (top-right button) as a qualified user, hidden records will become visible</li>
<ul>
<li> <i>NOTE: The user accounts are currently simulated. Simply click on the 'log-in' button to switch states</i></li>
</ul>
<li> All related records and attachments are automatically encrypted in the database and in the file system</li>
<li> Open the example Vulnerability "<a href="{% url 'vulnerability' 1 %}">V0000</a>" </li>
<ul>
<li> Observe the "PRIVATE" notice next to the name </li>
<li> Observe the invitation-only access and notification lists at the bottom</li>
<li> Observe the attached PowerDNS notice</li>
<li> Observe the comments and automatic timeline information, which can be used in a <b>compliance report</b> </li>
</ul>
</ul>
</ul>
<ul>
<li> <b>Internal Investigations</b> </li>
<ul>
<li> You can create internal CVE's (with the prefix "<b>SRTCVE</b>") and Investigations for customer or Test reported issues</li>
<li> All work can be tracked using the normal features, and can be kept private or public</li>
<li> If these turn out to be new uncertainties, you can create a report to submit to the CVE registration authorities</li>
<li> Open the example record <a href="{% url 'cve' 2 %}">SRTCVE-2018-0000</a></li>
</ul>
</ul>
<p>
</div>
<div class="row" style="padding-left: 25px;">
<h3><a id="management"></a>Management</h3>
When you log-in as a qualified user, you get access to the Edit and Management functions.<p>
<p><i>NOTE: if you are <u>not</u> logged in as a qualified user, all of the below links will automatically redirect to the home page</i>.
<p>
<ul>
<li> <b>Edit, Attached, Comment</b> </li>
<ul>
<li> In the various records, new buttons and icons appear to allow you to create and edit the content </li>
</ul>
<p>
<li> <b><a href="{% url 'manage' %}">Management Page</a></b> </li>
A 'Management' button appears on the home page when an admin is logged in, and provides the following features.
<ul>
<li> <a href="{% url 'triage_cves' %}">Triage CVE's</a>: Tools to manage the incoming CVE's </li>
<ul>
<li> <a href="{% url 'keywords' %}"> Triage Filtering Keywords </a>: managed keywords to help pre-qualify the CVE's </li>
<li> <a href="{% url 'select-cves' %}"> CVE Filtering</a>: view to filter, select, and bulk assign CVE's </li>
</ul>
<li> <a href="{% url 'create_vulnerability' %}">Create a Vulnerability</a>: based on non-CVE inputs </li>
<li> <a href="{% url 'publish' %}">Process Publishing Items</a>: manage the items that are ready to be published </li>
<li> <a href="{% url 'manage_report' %}">Reports</a>: general reports the overall system status </li>
<li> <a href="{% url 'users' %}">Manage Users</a>: view the user list, add and remove users, adjust their permissions </li>
<li> <a href="{% url 'sources' %}">Manage Sources</a>: view the source lists, their incremental update policies, and trigger manual updates </li>
</ul>
<p>
<li> <b><a href="{% url 'manage' %}">Triage CVE Page</a></b> </li>
The triage CVE page as several workflow features.
<ul>
<li> The "Reasons For" and "Reasons Against" columns match the keyword filters against the CVE</li>
<li> The "Recommendation" column (and its filter) score the CVE according to the the keyword filters</li>
<li> The "Search" feature can be used to select against keywords</li>
<li> The "Select" and "Un-select" buttons can be combined with manual selects to isolate the desired CVE set</li>
<ul>
<li> Note that only the CVEs visible on the current page are selected/un-selected, to prevent side effects to un-observed CVEs</li>
</ul>
<li> The "Not Vulnerable" button can be used to moved CVEs from "New" to "Not Vulnerable" </li>
<ul>
<li> The "Reason" field can capture the reason this CVE set are not vulnerabilities </li>
<li> The "We do not ship ..." checkbox can accordingly preface the "reason" field </li>
</ul>
<li> The "Vulnerable" button can be used to move CVEs from "New" to "Vulnerable", with respective Vulnerability records created</li>
<ul>
<li> The "Reason" field can capture the reason this CVE set are vulnerabilities </li>
<li> The "Vulnerable Products" list can be used to create Investigations against those products</li>
<li> The "Priority" field sets the vulnerability severity as per the organization</li>
<li> The "Group" option can be used to gather the CVE set into one vulnerability, instead of one per CVE</li>
<li> The "Create Defect" option can be used to automatically create a defect record for the respective product investigations</li>
</ul>
<li> History entries will be automatically created for triaged CVE's, Vulnerabilities, and Investigations</li>
</ul>
</ul>
<p>
</div>
{% endblock %}
|
