In beta: automated CVE checks on your software

Have you seen the software report on your assets? Well, it’s about to become more interesting. The software report shows you a list of all software that ShadowTrackr has detected on your systems. Such a list is useful to check if you’re running vulnerable or exploitable software.

But why check manually if automated vulnerability checks could be done ? That’s in beta now. We’re tracking all registered CVEs and match these against your software report. If CVEs are found they’re shown in the report and you can click them for more information.

The match is done based on information found in regular checks we run on your assets. We would never actively run a penetration test against your systems without a specific request and explicit prior approval.

Beta in this case means that we’re still figuring out the best way to do this. We don’t want to bury you in false positives. So, nothing is shown on your timeline, no alerts are sent and no mentions appear in the weekly (for now).

New search syntax with autocomplete

The last update of this year contains a bunch of bug fixes, server upgrades, better cloud tracking and renewed search and export options. Those last two are definitely worth discussing in more detail.

The search options have grown organically over time and ended up being messy. In the early days you could use grade:B to search for all TLS certificates with that grade (based on SSL Labs scores). Then came website security grades (based on Mozilla observatory scores) and grade: became ambiguous. The quick fix was splitting it in the rather ugly certgrade: and webgrade:. Since you could only search a few entities (certificates, hosts and websites) and fields, collisions were rare. It only happened with grade.

Now, as more entities and fields become searchable, collisions are more likely. To fix that, the search syntax is now redesigned based on Lucene search syntax. So, to search for all websites running on apache having a website security grade B you use:

website.grade:B AND website.software:apache

To search for all certificates with grade A that were issued by Comodo, you do:

certificate.grade:A AND certificate.issuer:Comodo

Much better right? And the search bar on every page now has autocomplete. It shows you which entities are searchable (currently: certificate, website, host, whois and dns) and which fields are available. It also autocompletes your known urls and ip addresses. You can use either the mouse or the up/down arrow keys and tab to complete your search text. Have a look a these search examples .

The other big change is in how we track things in the cloud. We see that more and more assets of our customers end up at big cloudproviders and CDNs. So far, we’d just list the name of the cloud instead of the ip. That was a bit incomplete to say the least, and now we track both the cloud and current ip. This allows for better scanning and better graphs, and opens up the way to new functionality.

Note that you might find some rediscovered cloud assets on your timeline. This is all part of the automatic migration and doesn’t cause any trouble. It can clutter your timeline though, so we’ll do our best to clean it up as much as possible. Still finding trouble? Please let us know and we’ll fix it for you.

Start fixing your assets by mailing reports

This update had a lot in it, but the most useful I think is the option to mail reports. You can now directly email all data you see to an email address of your choice. This works for websites, certificates, hosts and domains. You’ll find the option mail report at the top of the menu under the triple dots (right top).

Using your own product is a good way to find out what is working and what not. I found myself typing quite a few emails to the persons who needed to fix things. Insecure certificate? Write an email. Insecure port open? Write an email. Insecure headers on a website? Write an email. Of course including screenshots helped, but this forces the receiver to re-retype everything that should have been a convenient copy-paste. That’s fixed now. So, go ahead and start chasing your security problems by mailing reports.

The graph on the url page has also improved. Links between your assets are shown more clearly. Related assets that are not yours are shown in grey, and you can easily add them by clicking. There’s more little improvements, check out the graphs for your more complex assets and you’ll see.

Next stop is improving the weekly pdf report.