It’s the night before launch. To put it more accurately, it’s launch morning. You’ve been working long hours for the last six weeks to get your company’s latest web application ready for your adoring public. You’ve been testing and re-testing to make sure it’s free of bugs and any other issues your users might have as they interact with your new product for the first time. But now you’re finally satisfied. Your PM is satisfied, and you’re ready to launch, and you’re fantasizing about all the full nights of sleep you have ahead of you.
That is, until your boss’s boss pops his head in the door as he’s leaving and says, “Hey, are we sure this thing is secure? Run a few of our scanner-doo-dads on it and write up a report of any vulnerabilities we should be aware of.” His words just sort of hang in the air as your sleep-deprived brain tries to process the meaning. Secure? Vulnerabilities? Write a report? Gwah?
You’ve run security scans on your applications before, but you always just sent the results to Barney in IT to write the report for you, but Barney left for Tahiti three days ago and he doesn’t usually work late anyway. Now you’ve got to put together a vulnerability report before you can make your zombie-like-march home and collapse into bed.
You’re going to need some help.
The first thing you do is boot up your scanners. Burp Suite and Nessus Vulnerability Scanner are your go-to. You know them well enough to be able to run the scan, export an XML file, and then email the XML file to Barney. Barney’s gone, but maybe you can make enough sense of the PDFs that are exported to write the report manually. So you run both of the scans and go make some coffee, you’re only true friend at the moment. You get back and find the scans have finished. Great! You export the PDF file from Nessus and open it. It looks like this:
That’s not so bad. I could probably turn these into a report by hand.
You scroll through the files and they seem a bit large. You glance up at the top of your PDF reader. It says that this PDF has 3215 pages.
I wonder if my resume is up-to-date?
You sort of stare at the screen for a while and think about your bed. Then you do what you always do: ask Google if there’s any easy way out of this. You search around a bit and find a company called Lunarline that makes a product called Vulnerability Scan Converter. The web page reads:
After VSC processes data, it compiles your vulnerability information into a single Excel workbook. You’ll have access to spreadsheets with information on each instance of every vulnerability found. There are also worksheets that provide additional vulnerability information, including the risk level that vulnerability poses as well as a list of hosts where a given vulnerability was found.
Oh please let this be the answer.
You download the trial version and give it a try. There is no installation process and VSC starts right up. You click Import Scan Results and import the XML files you normally send to Barney. The VSC UI instantly responds:
Wow, it certainly seems to know more about these scanner files than I do.
When the scan is complete you export the results to find all of the vulnerability information neatly organized into a handy excel sheet. Oh, sweet goodness, I’m going to sleep tonight!
After purchasing a license, you activate the full version of VSC and generate a complete vulnerability report from your XML files. You email one copy to your boss and another to Barney in IT, letting him know that his days of writing your vulnerability reports are over. You’re not exactly sure what happened after that, but you wake up the next morning in your bed. You think it’s possible that VSC drove you home from work as well, but you’re not sure. You roll over and go back to sleep.