Issues vs findings
As of version 2.20 Seccubus has a notion of Issues and Findings. This document tries to explain the difference between these two, and give suggestions how you can use Issues to improve tracking and remediation of security problems in your infrastructure.
What is a finding?
A finding is a unique bit of output from your scanner for a certain host/port/plugin combination.
For example Nmap can generate the following finding for host example.com on port 23 with the open-port plugin:
Port : 23/tcp State : open Confirmed by : syn-ack (TTL: 64) Service : ssh Method : probed Extra info : protocol 2.0 Fingerprint : SF-Port23-TCP:V=5.51%I=7%D=8/20%Time=4E50140D%P=x86_64-pc-linux-gnu%r(NULL,23,"SSH-2\.0-OpenSSH_5\.8p1-hpn13v10lpk\r\n"); Please submit fingerprint to http://insecure.org/cgi-bin/submit.cgiConfidence : 10
Findings are generated by scanners and may or may not highlight a security problem in your infrastructure.
What is an issue?
An issues is a way for us humans to group findings together for various reasons and to provide an interpretation of a finding. E.g. the above finding may represent two issues:
- The firewall is not blocking connection requests to port 23
- There is an SSH deamon listening on port 23 which requires investigation.
In this case you can create two issues and link this one finding to them. There is also a case to for linking multiple findings to a single issue. Say that port 23 is not the only port that is left open, but you want to tell your firewall administrator about a number of open ports. In this case issue 1 can be rephrased as “Redundant open ports” and all findings that relate to ports being open where they shouldn’t can be linked to this single isseu.
When remediation is in progress the issues can help you validate statements like: “I have fixed all open ports” and it can help you report on progress better.
Isn’t this just like a tickets system?
Yes… and no. Issues do look a lot like trouble tickets and for small shops this may be just sufficient, however it does not have all the features that a full ticket system will have. For those of you that have a ticket system you can use the following configuration snippet to turn external references into clickable links.
<tickets> <url_head>https://jira.atlassian.com/browse/</url_heads> <url_tail>?showall=1</url_tail> </tickets>
In this case I have provided an example that uses managed Jira by Atlassian. If you have an external reference that is e.g. DEMO-1 this will get linked to https://jira.atlassian.com/browse/DEMO-1?showall=1.
So why would I maintain both this and a ticket in a ticket system?
Making you work less instead of more is always been an objective of Seccubus, so first of all, if you do not want to use the Issues tab, you are free to do so. However using it makes it easier to see which findings below to which tickets and thus track if Issues have been resolved properly and if one finding going away or changing actually resolves the entire issue.
Cool! So how do I use it?
Go process you findings as you normally would. There are various link buttons in the GUI that allow you to link a finding to an existing issue or create a new one. Have fun!