It's common for an organization to use a combination of 3rd party penetration testing vendors alongside their internal security program. Resolve makes it easy to aggregate and correlate all vulnerabilities generated across these programs. This article will focus on how you can take the reports your 3rd party penetration testing providers deliver and import them into Resolve.
Did you know your vendors can submit their reports directly into the Resolve platform? They can, and you'll be able to skip the below process in its entirety. Contact your NetSPI representative to learn more about access controls you can put in place to remove the overhead of managing 3rd party vulnerability reports.
Step 1: Identify required information
The first thing you'll want to determine is the data points vendors will be required to provide for each of their assessments. A list of supported data points in Resolve can be found here. The vendor should provide their information in CSV format, with headers matching their respective columns in that article.
Step 2: Provide unique identifiers
Resolve matches all vulnerabilities to a Master Finding to allow correlation and de-duplication across assessments. When your vendors report vulnerabilities each row in their CSV will require a column called MasterFindingSourceIdentifier. This will either be the source identifier of the respective Master Finding in Resolve, or a randomly generated ID provided by the client. That column will look for a matching source identifier in your master findings database, which can be found underneath Administration > Findings Database.
Step 2a: Using Master Finding identifiers
The Master Finding source identifiers can be found here and a full list can be exported and provided to your vendors using the bulk actions functionality to export.
Step 2b: Vendor-provided identifiers
It may be common that a vendor finds a vulnerability that is not present in the Master Findings database, or you may choose not to provide them with a list of identifiers. In that case, the vendor can provide their own unique identifiers. These identifiers should be unique for each type of vulnerability. For example, if 5 SQL injections are discovered across 3 tests, they should all share the same Master Finding source identifier. If you decide to use this option, the vendors must supply any alphanumeric string prepended with M: in their export.
An easy way to do this is to remove all non-alphanumeric characters from the vulnerability name. For example, Cross-Site Scripting (Reflected) could be reported as M:CrossSiteScriptingReflected.
After importing new master findings you'll want to correlate them to ensure they are deduplicated against all of your historic data.
Step 3: Import Data
The CSV provided by your vendors can then be imported like all other data sources in Resolve. You can learn more on importing vulnerability data here.
Instead of using the assets provided by your vendors, when importing use the Add Asset button to reassign all vulnerabilities from that file to an existing asset.
See UniversalImporterExample.csv for an example file below.