Why Vulnerability DB HQ?
- What is VulnerabilityDB HQ?
- But, we already have a wiki/word document/in-house application to manage our vulnerability descriptions!
- Everyone is on the same page
- Consistent and up-to-date issue descriptions across reports
- Collaboration
- What is the Public library?
- Hold on a second... aren't vulnerability descriptions very sensitive stuff?
What is VulnerabilityDB HQ?
VulnerabilityDB HQ is a platform that lets your organization manage the information it already knows to make the most of it.
- Create testing methodologies so each project is delivered to the high standard your clients demand.
- Maintain a library of vulnerability descriptions. Generate reports in a fraction of the time. No reinventing the wheel.
In addition to your private library you also get access to the Public library that contains testing methodologies and entries for some of the most common security issues.
But, we already have a wiki/word document/in-house application to manage our vulnerability descriptions!
This is a great first step, to recognize the value of managing a central library of issues that can be reused across reports.
However, wikis or static documents are not the best fit for the job. VulnerabilityDB HQ is built with the needs of the security specialist in mind: collaboration is built-in, content is structured and always at hand, the Public library is kept up-to-date with the latest developments in the industry, etc.
Finally, if you are a security company and have built an in-house application to manage your library, you can still benefit from switching to VulnerabilityDB HQ. Our core business is to provide you with a simple solution that lets you service your customers without interruptions. We implement new features, fix problems and keep the Public library up-to-date so you don't have to allocate time and resources to keep your backend systems up and running.
VulnerabilityDB HQ is developed by Security Roots, and this is our vision of the security industry.
Everyone is on the same page
Define a methodology to make it easy for you and your team to go through all the steps and don't miss anything.
Provide tasks that have to be completed, additional information, external references.
Found a new tool? a new attack technique? Great add it to the methodology so everyone can benefit from it.
Consistent and up-to-date issue descriptions across reports
As the team grows, one of the most common challenges faced by management is to ensure the consistency of the deliverables.
With VulnerabilityDB HQ you can rest assured that the same high-quality issue description will be provided to your customers every time.
Collaboration
Having a static issue description that never gets updated is not very useful. In VulnerabilityDB HQ you can easily manage and keep up-to-date all your vulnerability descriptions.
Improve your testing methodologies after every project. Make sure everyone is benefiting from everyone else's knowledge.
VulnerabilityDB HQ also comes with peace of mind: all changes are tracked and can be reverted.
Fast reports
VulnerabilityDB HQ provides a powerful API to ensure it can be used with your existing systems and reporting tools.
If you currently do not use any reporting tool, VulnerabilityDB HQ integrates out-of-the-box with Dradis Professional Edition and the Dradis Framework so you can start producing professional reports straight away.
What is the Public library?
When you sign up for VulnerabilityDB HQ not only you get your own private library, where your team can keep a list of issue descriptions and build your own methodologies, you also get access to the Public library.
The Public library contains dozens of issue descriptions ready for you to use. We add new issues every month and keep the existing ones up-to-date with the latest developments in the industry.
It also contains some testing methodologies, full with tasks and external references to dig deeper into each topic.
You can create a private copy of a public entry and adjust it to your needs. And you get notified if the public entry is updated after your forked it.
Hold on a second... aren't vulnerability descriptions very sensitive stuff?
Full vulnerability descriptions including details that can lead to exploitation are indeed a sensitive business.
However, VulnerabilityDB HQ is a platform to store the boilerplate descriptions and recommendations associated with the issues, not the specifics of every instance.
Our proposed workflow would be:
- Create a new entry (or copy it from the Public repo). For instance: “DOM-based cross-site scripting”.
- If you find an instance of this issue during a security review:
- Copy the entry from VulnerabilityDB HQ in your report or your reporting tool (e.g. use our API, or some other tool that integrates with us out-of-the-box Dradis Pro or Dradis Framework)
- Adjust the template with the specifics of this instance (e.g. “It affects the /modules/search page...”)
- If someone spots a typo or wants to add a new reference, just save your changes in VulnerabilityDB HQ and they will be there for you next time.
As you can see, the only really sensitive information here is in step 2.b and this only happens in your laptop.
