Automating Security Assessments, and Concerns with PSIRT API
Hello! The company I work for has tasked me with checking the security advisories that Cisco publishes. This task seemed ripe for automation, especially since Cisco provides a restful API where you can access all of the advisories they publish. They advertise being able to return extremely useful and pertinent data such as vulnerable products, the CVSS score, and a written summary of the vulnerability. If you want to get more information such as the affected software releases, you must have a certain kind of account with Cisco, which luckily we have, to access the bug API.
The concept of this API is great. Ideally you could have an inventory that automatically compares the model and version number of live devices on your network against the advisories, and only notify you about the ones that actually apply to your devices. You could set policies on top of this, like only notify me if the CVSS score is a High or more, etc.
The problem I am experiencing is that the data returned from the API is inaccurate, incomplete, and inconsistent. These things make this data untrustworthy, and forces me to manually read each and every advisory. The data returned often leaves out vulnerable products and version information.
The natural next step is to forgo the API altogether and use web-scraping to pull the data. This is also not achievable because there is no consistent formatting between individual advisories, and they are often incomplete as well. Last month there were many advisories that came through without any vulnerable version listed, despite the vulnerability being about vulnerable software.
Additionally, I have found other security-related APIs from Cisco, where you can pass in model numbers and it will return you the applicable advisories, but this is not available for all products that Cisco provides and we would potentially miss something important.
I have interfaced with my account team, but I have been told that the devnet team is experiencing growing pains, and the tooling is in its infancy (with the api being 7 years old...).
So my question to the community is, have you found a way to automate the processing of these vulnerabilities? If so, how?
Hi there, I have downloaded a Python script to find the duplicates on Cisco AMP for Endpoints dashboard from the following URL: https://github.com/CiscoSecurity/amp-04-find-duplicate-guids When I'm running the Python script, I'm getti...
Hi, I'm testing some python code to pull user information / account statuses from ISE which is using Active Directory as an External Source. I've successfully used some of the other ISE ERS AD functions to get Admin users, Get Join Point and Get join...
Are you ready for Cisco Live, Melbourne? Either way, join us for the first ever #CiscoChat LIVE! from Australia. We’ve gathered up a fantastic cast of characters to chat with you about security, wireless, mobility, 49ers, Vegemite, and security. Mostly se...
Join us for the first ever #CiscoChat LIVE from Australia on Thursday, February 28 at 3 pm PT (that's Friday, March 1 at 10 am AERT).
We’ve gathered up a fantastic cast of characters to chat with you about security, wireless, mobility, 49ers, Vegem...