Last updated: 
2 months 2 days ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

Open source vulnerability scanning with OpenVAS and GSA

27 July 2015 at 4:33pm

I've spent a few weeks investigating how we can use open source tools to provide basic vulnerability assessment functionality within a small ISO 27001 scope (less than thirty systems). The more sophisticated and expensive and commercial products are great, but before we investigated their use I wanted to see what we could get on a limited budget (mostly my time).

OpenVAS, a fork of the previously open source Nessus project, seemed like the obvious choice. I had in the long distant past used the Nessus engine as the basis for a service that a previous employer offered. Here are some of my thoughts on the offering that OpenVAS and the Greenbone Security Assistant (GSA) web interface can provide you with.

Admittedly I didn't install the most recent release of either OpenVAS or GSA, and so some issues I encountered may not be representative of the current version.

Plus points:

  • The API and command line tools allowed me to quickly automate a large number of bulk tasks, saving me a lot of data entry time.
  • When the API isn't good enough, everything is contained within an easily accessible SQLite database. As long as you have time to invest, you should be able to write code to generate any reports you wish.
  • The search filters in GSA are easy to use, but retain enough sophistication to be able to construct more complex searches of results. I was able to use search filters to overcome the lack of groups or other containers for systems.
  • Results returned appear to be pretty accurate with very few false positives that needed to be followed up. Many of the false positives were highly dependent on the context of the vulnerability, which is not something any automated tool can easily deal with. False positives are easily suppressed from future reports.
  • The reporting integrates with a number of external sources of vulnerability data such as CVE, CVSS, SCAP and DFN-CERT announcements. I like it that these references and the testing methods are themselves openly accessible.

Negative points

  • Installing the software itself wasn't quite as slick as I'd hoped for - I was hoping to have packages that I could throw at my favourite Linux distribution but the support appears to focus on rpm based distributions. I ended up modifying a pre-built Debian demo appliance virtual machine to suit my needs, consequently I didn't end up with the latest version of the software installed.
  • There are no features in GSA to provide summary reports of groups of servers, or report on trends over time - only the changes between the last two scans. For a small number of systems that's probably sufficient, but it feels limited.
  • The language used in GSA can feel non-intuitive unless you've read the documentation. The Asset Management page appears to be near identical to the Targets page, except that it includes something called a "prognosis". That's not what I expected.
  • Command line tools differ from GSA in terms of what they consider to be valid input. At the command line I could create targets with names that would then cause errors when I tried to edit them in GSA.
  • Once a target has a scanning task associated with it the port list associated with the target cannot be changed. Frustrating if you're only interested in a limited number of ports but want to add one at a later stage. The only option seems to be to delete the task, losing the results associated with it, and then to start afresh.

In conclusion, it appears that it's still possible to setup a small scale but useful vulnerability assessment function using open source tools. What's really lacking, and something organisations will have to tackle on their own, is the integration of these tools into a wider vulnerability management programme and ISMS. We'll be tackling these issues with processes developed within our Quality Management System.