<strong>Multiple scanner appliance selector</strong> is an open source tool written by Michael Calvi that automates the dynamic assignment of scanners to QualysGuard target hosts. The tool helps increase scanning efficiency across large networks. Given the niche problem Michael chose to solve, I wanted to learn more about it.
What’s your name and title?
Michael Calvi, Network Security Manager. Don’t let the title throw you, my team is responsible for more than just network.
How do you enjoy spending your personal time?
I spend most of my free time between Amateur Radio, playing with my daughter and various maintenance tasks around the house. I like fixing things that are broken.
Tell us about what your scanner selector app does.
The scanner app uses a back end database to determine for a given IP address(es) which scanner is best suited for the task based on load and location of the scanner to the target(s) in our network.
What use cases does your app alleviate or solve?
As an example, when the Snowman IE patch (CVE-2014-0322 or KB 2934088 or MS014-012) was released, we utilized the scanner and were able to scan our entire client base (approximately 9000 nodes) in a single night without impact to the network in an 8 hour period. We worked with our TAM and support to increase the concurrent scan rates as well to accomplish this. As a measure of what would normally happen on a 0 day patch verification scan, the scans would last roughly 1-2 days.
Many QualysGuard apps are related to reporting, but you chose to solve a scanning problem. Why?
When we first deployed Qualys scanners we were having issues overrunning the CPU on the remote WAN routers. We worked with our network engineers to throttle down the connections and were mandated to only scan a region from a single scanner at any given time. As such, our second scanner sat mostly unused unless we manually selected the scanner through the GUI. This was a waste of power and rack space, so we decided to see how we could load balance between the scanners.
We investigated the ‘All Scanners in Asset Group’ option, but this wouldn’t work for our use case as after a patch is applied to a system, we have a process which submits the IP address to be scanned for patch verification and didn’t want to be churning AGs. Our solution was to do some simplistic internal load balancing that accomplished something close to load balancing utilization while still maintaining the mandates above.
What led you to choose Perl for your app?
Perl is what my team is most familiar with, so it was chosen for supportability reasons.
You mentioned this was "horribly written". I also tend to be hard on myself. Given the time, how could you have improved the app?
Given time, I would add additional error handling, consideration for GUI tasks running/scheduled and tune the ‘reservation’ times. Currently an arbitrary time is set for the reservation (Y targets * Z minutes) vs actually checking the utilization of the scanner and completion of the task.
How can we make our API easier to use?
We use the Qualys API as the standard for our other vendors in terms of documentation of the calls and their results. The only thing I would like to see if full parity between the GUI and API.
What advice do you have for others to hope to build an app for QualysGuard?
Computers are great for automated tasks, so use them. Figure out what you do a lot and look to automate it.
Any future QualysGuard app plans? 🙂
Yes, we are looking into how to map QID->CVE-> $softwareDeliveryProductTaskID so that we can potentially automate some of our Sev 5 remediation for client devices.
This interview by Parag Baxi is part of the Qualys Community Interview Series.