The open source tool QualysGuard Open Vulnerability Data Download offers programmatic downloading of active (non close-fixed or close-ignored) QualysGuard host (formerly known as autovuln) vulnerability data to enable vulnerability syncing across security tools. This tool was published on the Qualys Community by Qualys' James Nelson.
What’s your name and title?
James Nelson, Technical Account Manager at Qualys.
Besides living and breathing Qualys, how do you enjoy spending your free time?
I enjoy my time outside of Qualys attending events related to classic cars, camping, hunting, fishing and preparing smoked meats for my friends, family, and customers to enjoy.
Tell us more about what your QualysGuard Open Vulnerability Data Download app does.
The open vulnerability data download app uses the detection feature in QualysGuard API version 2 to efficiently download all vulnerabilities severity 1-5 from a subscription that are in an open state. This BASH shell script stores the vulnerability data in local XML files. It also downloads the Knowledgebase in XML and creates a lightweight version. It outputs CSV files for Severity 1-5 vulnerabilities using both the Knowledgebase and vulnerability data by performing joins in a LOCAL XML rewriting process.
What use cases does your app alleviate or solve?
As subscriptions sizes grow, it becomes increasingly important to be efficient with vulnerability management processes. Customers demand a capability to efficiently grab their vulnerability data and crunch it in their own local systems so that they can map their vulnerability data geographically, across floors in their facilities, across racks in their data centers, etc., so they can hold the responsible staff accountable. Many enterprises have unique ways of presenting a vast array of site health data points, including vulnerability data. They expect QualysGuard data to come down from the subscription quickly and efficiently. By downloading the Knowledgebase and vulnerabilities separately and then joining them locally, the tool is able of avoid transferring many gigabytes of duplicate information.
Why is ignored remediation tickets tied into this app?
Organizations frequently manage vulnerability exceptions using QualysGuard Remediation Tickets. The detection API’s list function is designed not to list vulnerabilities with an associated close-ignore remediation ticket because these are exceptions that have been explicitly created by remediation policy or manually within the GUI.
GNU BASH shell scripting was chosen because it is simple, efficient, portable, and a large number of people understand how to customize shell scripts for their own purposes. The script was developed on OSX and also tested on Linux before it was released. It operates well on a wide variety of platforms like Apple OSX, Linux, and Unix.
How can we make our API easier to use?
The API was easy to use and made it simple to build this script. The hardest part is often figuring out what FQDN to use for the API host tied to a given subscription. Reducing API hosts to one would make it easier to get started with using the API.
What advice do you have for others to hope to build an app for QualysGuard?
First, when holding a hammer everything could look like a nail. Just because you COULD use API to do something doesn’t mean it is the right solution. Look at the native features in the Qualys UI first, and then decide. Frequently hidden gems like the Remediation Policy engine end up holding the answer. Also, if you do build a script please do not neglect security in the design. Consider secure deletes. Avoid hard coded passwords in scripts or configs. Pay attention to SSL client settings for requests – be sure to require strong SSL protocol versions, strong encryption, and verify CA trust.
Any future QualysGuard app plans? 🙂
I do not have immediate plans to release a tool, but I have started working on scripts to compare CMDB data to QualysGuard Asset Management data that I may publish eventually. Today, I am focused on ensuring this tool has a good future – it is mission critical at a number of my customers.