Interview: Mark Alvarez, author of “Managing Gazillion Vulnerabilities”

Mark Alvarez’s submit_ticket script on GitHub is an open source QualysGuard integration app that makes remediation tracking in CA Service Desk easy. Mark described it in detail in the document, CA Service integration app, also known as "Managing Gazillion Vulnerabilities".

1.  Tell us your name and recent infosec titles you’ve carried.

My name is Mark Jayson Alvarez. For the past 10 years of my career, my job title has gone through several incarnations. I used to be a “Security Engineer”, a “Systems Engineer, Security”, an “IT Security Administrator”, “IT Security Consultant”, and now my job title says that I am an “Information Security Analyst”. My favorite of all though is when I was still called a “Science Research Specialist” in my first job (a fancy term for Systems Administrator). And since you’ve asked, other titles that I’ve had but never really used except in my CVs are CISSP, CISA, CEH, CISM.

2.  I’m sure there’s more than infosec behind the name. How do you enjoy spending your personal time?

At work, (during break time of course), I play a lot of foosball. I enjoy playing with other folks in our office, sometimes even with the food attendant serving our lunch. I even became a champion (despite not being really competitive at all) when I was randomly paired with someone good during our mini tournament and won a mug with words “Foosball Champion” written on it.

Outside of work I enjoy spending time with my friends on out of town trips, mostly beach camping. I’m not a fitness buff but I see to it that I run at least once a week and try to beat the record I last stored in my GPS watch. I once dreamed of doing triathlons but it didn’t happen when my bicycle got stolen.  I also like spending some time in the firing range to relieve stress, but not very much lately since my carry permit expired already. I used to enjoy photography but haven’t really touched my SLR camera ever since I sold all the good lenses that I have.

3.  Tell us about what your CA Service integration app, also known as "Managing Gazillion Vulnerabilities", does.

The app I’ve written automates the creation of service desk tickets for vulnerabilities discovered by our Qualys scanner. It can do this automatically by batch (e.g., based on impact criteria we’ve defined) or interactively that lets the user select specific vulnerabilities that he/she wants to convert into request tickets. It also maintains a list of existing service desk tickets to avoid submitting duplicates and keeps tallies of vulnerability stats that help us prioritize and strategize our remediation efforts.

4.  What problem does your integration alleviate or solve?

The immediate problem solved by this app is that it significantly reduced the effort required on our part in reporting vulnerabilities found on our host assets. In our environment, every action must be initiated by a request sourced through our service desk application. From resetting of passwords to access badge provisioning to reservation of meeting rooms, and in this case remediation of security vulnerabilities, a corresponding ticket complete with necessary details must be logged.

Imagine if you have one hundred hosts, each has one vulnerability discovered that needs to be remediated right away. This would be equivalent to a hundred service desk tickets that must be submitted.  Some people would ask, “why not just create one ticket for all the vulnerabilities or at least the similar ones?”. This will not be feasible for us most of the time because different hosts (e.g., servers, desktops, network gear) or applications are supported by different teams. Hence, tickets must be transferred to the correct group and eventually assigned to individual members. And we are not just talking about one vulnerability per host or just one host here. Our information assets has been growing exponentially as our operation’s geographical reach increases.

Our expanding scope for attestation, increasing pressure from higher management due to rising frequency of security incidents causing business disruptions, global standardization, and the fact that we have a reputation to maintain being a mobile device security company has led us in concentrating our efforts on immediately resolving these so-called “low-hanging fruit” vulnerabilities.

5.  Many QualysGuard apps are related to reporting, you chose to report outside of QualysGuard. Why?

I know for a fact that QualysGuard has its own ticketing system tied to its vulnerability assessment platform. For every vulnerability discovered, QualysGuard may issue the corresponding ticket and automatically close it as soon as the vulnerability falls off from its radar. It also has the capability of reporting statistics that can be consumed by non-technical audiences. Unfortunately for us, both built-in functionalities are not flexible enough or at least sufficient for our use.

How do you automatically tag false positive vulnerabilities and avoid creating unnecessary tickets? We do this by deploying scripts that extract CVE data from the Changelogs of the thousands of Linux hosts that we manage and feed these data into this app. How do you include additional information such as IP address mappings, system owners, or custom impact classifications in the tickets generated by Qualys?

The fact that our environment is tightly integrated with our existing service desk application makes the use of built-in ticketing functionality practically infeasible. How do you arrange vulnerabilities per impact, track the current status of service desk tickets, their current assignee, or age, and report on SLA violations? How do you put everything into a nicely formatted report and send it out to your team’s distribution list every Monday morning? You can do all these by writing custom applications like this one I’ve created.

6.  Congratulations on your white paper. Has your work been viewed differently since publishing?

Thank you. Personally, after almost accomplishing this seemingly impossible task (almost because it’s still a work in progress) that my boss gave me, not the task of writing this program but rather just resolving all the gazillion vulnerabilities that we are finding in our environment using only the resources that we have, I’ve learned one important lesson. No matter how complicated a given problem appears to be, as long as you are very much passionate about solving it and you don’t limit yourself in imagining how you are going to approach that problem, chances are you’ll eventually end up solving it one way or another.

My write up shows that with automation, simple but unwieldy operational tasks become more manageable and as a result, we can divert our efforts and limited resources onto other more critical issues that require our immediate attention.

7.  Your other works also leverage Perl. What led you to choose Perl for your app?

Perl is a convenient programming language to use. Not saying it’s the most convenient one, but it’s been there for ages. Useful libraries are freely available for download. It all boils down to what you’re most comfortable with. I could have probably written the entire app in C but that would probably have taken me 8 years to finish compared to just 8 months I spent improving and debugging this little Perl program. I can’t even remember how to declare and define function prototypes in C anymore.

Once in a while, I try to understand and learn other scripting languages when reading other peoples code but only on as-needed basis. All these programming languages are the same to me. They all make use of variables, subroutines, external libraries, control structures, etc. I’d say use one, stick with it and be good at it.

8.  How can we make the Qualys API easier to use?

Qualys API is flexible enough for our needs. When we transitioned from another vulnerability scanning provider into Qualys, I was glad to find out that the latter gives us full control over our subscription (with limitations of course) by exposing their API. But like anything else in this world, nothing is perfect. At the moment I don’t have anything in mind in particular that I’d like to improve on Qualys’ API.

Qualys folks are very attentive in answering inquiries about their API. They are always open to suggestions and every request for improvement or additional feature is immediately evaluated for feasibility. I just wish they are flexible enough with their API subscription limits. If at all possible, why not remove those limits and instead put a compensating control that automatically kicks in once it detects someone abusing its use.

9.  What advice do you have for others to hope to build an app for QualysGuard?

If you are in the QualysGuard platform and you need to accomplish certain tasks that are critical to your operations, you’ll get the most out of your subscription by leveraging their API. This, however, will require someone in your team with adequate programming skills. Bill Gates once said, “I choose a lazy person to do a hard job. Because a lazy person will find an easy way to do it.” So there you have it. All you need is a lazy programmer… or you can hire me. (Just kidding boss!)

10. Any future QualysGuard app plans? :-)

Nothing in particular but as long as our company remains subscribed to Qualys and we can make a better more efficient use of their service, I’ll definitely write more apps like this one.