Hello everyone: I was giving the responsibility of a Qualys WAS. There are around 30 sites I need to monthly scan, and check alerts. I need to automate all this process so I'm thinking on this
1- Create an script or application that could easily schedule and start the scan of the sites
2- The same app will also pull the reports from Qualys WAS
Now it comes to the issue:
I need to report on the issues found. And have those reports where they could be accessible for compliance reasons.
I'm assuming a lot of other security engineer here have the same issue. So my question is what do you do about this?
I was thinking about what to do and thought that these could be some options, but I want to hear from people that have already faced the same issue:
Is the best option to create an application that pulls the issues found from Qualys and later, presents them in a system or DB, with a web interface easy to be validated and share with people who need to access that info?
Is there any system that already solve my issue(see above in black), that maybe we can buy?
Could you talk about your experience with this?
I have another question. Do you think that having 30 sites, scanned monthly, validating issues found, and doing some other administrative stuff to keep this part working as perfect as possible, do you think just one skilled engineer is enough 100% on this? Or do you think I will need to ask for more people?
Thanks
Thanks to #Kapish M for his response
In order to help the community and anyone who faces the same issue, I will post here an answer but will leave the question open just in case some else have other options.
Qualys has no connector/plugin, for direct JIRA integration but API can make any similar integrations possible. While downloading data from Qualys via API, most times it is NOT very possible to make this communication 2 way unless the other vendor (JIRA etc) be willing to do it.
So it is possible to take one of these two routes to solve this issue:
1- Look for a 2-way integration system, like Service Now, that should make possible to integrate the system much more easier. Today, ServiceNow has 2-way integration.
2- Take care programmatically of
- Downloading Qualys report in CSV format
- Modify the CSF format to adapt it to JIRA as per [2]
- Analyze the issues in JIRA and move the ticket to other groups or close them
3- Because of the high demand of integration of this Security Tool, Qualys has created a Qualys-JIRA integration whitepaper available in [3]
Took information for this answer from:
[1]-Importing CSV into Jira
[2]-Qualys integration
[3]-Qualys Jira integration whitepaper
Related
I am building a website for a client. He's asking me to do security audit of the website. I don't have expertise in security audits and the budget is low. However, I am trying to give the best value to my client. Is there any tool using which I can perform security audit of the website at a low cost?
There are also a few SaaS vulnerability scanning tools that I personally use for my website. Some are free or have subscription-based plans according to users' budgets. Providing you with a detailed report along with consultation from a security expert if required.
I have faced similar issues in the past, it's difficult to find an all in one solution as it is and usually the clients don't even know what they want, also they don't realize that getting security audits done will subsequently increase the cost from the original budget by a huge margin.
I did however, go through the comments and found https://reconwithme.com mentioned, will have a look and provide feed back after using it. I have tried acunetix and they're good but is extremely expensive for start ups who are just entering the game.
Forgot to mention the tool I use, its called ReconwithMe.
I am getting ready to release a new web site in the coming weeks, and would like the ability to run multivariate or a/b tests between two version of the site.
The site is hosted on azure, and I am using the Service Gateway to split traffic between the instances of the site, both of which are deployed from Visual Studio Online. One from the main branch and the other from an "experimental" branch.
Can I configure Google analytics to assist me in tracking the success of my tests. From what I have read Google analytics seems to focus on multiple versions of a page within the same site for running its experiments.
I have though of perhaps using 2 separate tracking codes, but my customers are not overly technically savvy, so I would like to keep things as simple as possible. I have also considered collecting my own metrics inside the application, but I would prefer to use an existing tool as I don't really have the time to implement something like that.
can this be done? are there better options? is there a good nugget package that might fulfil my needs? any advice welcome.
I'd suggest setting a custom dimension that tells you which version of the site the user is on. Then in the reports you can segment and compare the data.
note: there are few similar questions already asked here - but they are from 2009. May be something has changed since then.
I'm responsible for a bunch of websites hosted on different servers. I do not do any log analysis right now, but I would like to change this. First question - what is the best tool to view ISSUES with the website based on IIS logs (i.e. 404, 500 responses, long page processing, etc)? Ideally with grouping/sorting options? I do not want to spend a lot of time on this, I just want to periodically check if all is good with the website.
Second question (and I know most likely i'm asking for too much) - but is there any way to expose processed logs to web? So I can review things mentioned above without RPDing into the server?
Ideally I'm looking for a free/open source solution, but I'm ready to pay for a good software as well (but not a lot of $$).
Thank you.
You can take a look at our log monitoring solution EventSentry, which can monitor text-based logs like IIS logs. We have standard templates setup for IIS, and we can consolidate the logs in a database with web-access, so that you can review the logs without using RDP.
It's a pretty flexible solution that allows you to pick the fields you are interested in, and ignore the ones you are not - and thus save space in your database.
You can also setup real-time alerts, so that you can get an email when a critical error is encountered in a log file, like a 500 error.
http://www.eventsentry.com/features/log-file-monitoring
Finally, you can also plug-in command line tools which can verify that a given web page is accessible, or get alerted when it changes: http://www.eventsentry.com/features/application-monitoring.
I'm biased of course, but I would say that our solution is pretty affordable. Since it offers additional functionality as well, such as service monitoring (to monitor your IIS services) and event log monitoring (IIS does log critical messages to the event log), you can setup comprehensive monitoring with a single product.
I'd look into #LuckyLuke solution (or similar) - classic "build vs buy" decision. Based on your post, this isn't going to be your "full time" job so IMHO its best to leave it to those who do...
I don't know what "legacy" answers you are referring to, but if you want to tinker you can use Microsoft's own log parser, and depending on how far you want to go with it, you can use it (COM dll) to write your "admin web pages" in .Net/ASP.Net and host it in each of your servers....
If you're very specific about the errors you just want to be alerted about, another "hacky" way would be to provide your own custom error pages (either the default IIS error pages, or configure your Asp.Net apps to use specific error pages).
At the moment support requests / bug reports made by customers are coming in by mail. It is getting harder to organize priorities and stay at the helm of all this. So I am looking for bugtracking(?) tools. Not all reports are bugs of course, sometimes it's just feature request or support requests.
So my question is: whicht open source bugtracker / support request handling tool do you recommend? I know Mantis which seems to be my front runner for a more elaborate evaluation, but I already worked with it (as a reporter / contributor) and found the GUI a little cumbersome. Another issue is that I thought about using the tool for multiple website projects of different customers.
Intuitively I would prefer to run only one instance of the tool for all projects to have a better overview of all critical issues (independently of the project). Of course customer A should not be able to see customer Bs request (but every customer can have multiple reporting accounts) Is Mantis able to handle that? Can you recommend any other alternatives?
P.S.: I heard about Jira, but I will try to find a free tool for my first try.
It's possible to use email with Mantis, so that you can get incoming email (directly or by forwarding) to Mantis.
Then you can have a workflow in Mantis, f.ex. have an incoming project and customer projects, and you can send email with bcc Mantis and subject containing issue number (I use [1234] as a pattern).
I haven't used other issue trackers as much, but my experience with a customized Mantis is good regarding different kinds of issues and using with email.
Since you're turned to Open source, I'd say install a project management platform like Launchpad, redmine... etc and then create a project for each of your clients (of course you can have multiple accounts for only one client). The bug tracker in these platforms can serve as a support request service.
I'd go for Launchpad because it also has the Q/A feature and blueprints, and is also nice looking and very very user-friendly. And also damn easy to install on a Ubuntu Server.
Kind regards
My company is planning to start a forum for our software product which the clients can refer for general FAQ's, problems etc.
Right now we are planning to have:-
User manuals.
Best practices for different section's of the application
Frequently faced problems.
Forum where user can discuss issues with development team.
Any other ideas?
Edit:-
We have RSS and E-mail notification subscription to the forum.
Forum where user can discuss issues
with development team.
I don't know if this is a euphemism for "issue tracker" but if not, make sure you include a way for people to submit bug/feature/enhancement reports and track them to completion. Nothing is worse than not being able to submit a bug report or being able to submit a bug report but only into a black hole.
Communication is key.
If you add an issue tracker as suggested by Kevin, your list seems pretty ok to me.
I'd also suggest that you do not start out with too many different services that require interaction from your side (e.g. your developers) at first - I've seen (too) many good initiatives die simply because nobody in the company had enough time e.g. for regular answering of the forum questions.
In your case, I guess "best practices", "frequent problems" and the forum will all consume regular time from your dev team if you want to keep them alive and up-to-date, especially in the beginning. So I would not add more services at the beginning but make sure to get these right (and you can always add more services later on if you find that the users need them :-).
You.
Show that you care about your customers.
Many useful tips at Creating passionate users blog.