Nessus, Qualys, Nuclei, GitHub: Optimizing Vulnerability Response!

Image cover for blog post.

Sep 16, 2024

Profile image of ENTRYZERO

ENTRYZERO

CISA (the U.S. Cybersecurity and Infrastructure Security Agency) maintains a list of known exploited vulnerabilities, currently encompassing 1162 vulnerabilities. For each of these, CISA has evidence of active exploitation by threat actors. Among these, 741 vulnerabilities can be exploited without requiring user interaction. Prompt response to those vulnerabilities is paramount to an organization’s cybersecurity defense. In this blog, we analyze data from CISA to assess how quickly these vulnerabilities were flagged for security professionals. We also investigate if and when vulnerability checks or Proof-of-Concepts (PoCs) were first published on platforms like Nessus, Qualys, Nuclei, and GitHub. Our key question is: How can we optimize vulnerability response to stay ahead of emerging threats?

1. Data Collection Process

To answer the question above, we focused on 741 vulnerabilities from the CISA Known Exploited Vulnerabilities Database, a subset of the total 1162 vulnerabilities listed. This subset consists of vulnerabilities that do not have any user interaction requirements. We tracked those vulnerabilities across several platforms:

  • Nessus Plugin Documentation and Qualys Knowledge Base: We examined the availability of plugins to detect the selected vulnerabilities in two of the most widely used commercial vulnerability scanners, namely, Nessus and Qualys.

  • ProjectDiscovery Nuclei Templates: We examined the availability of check routine templates in the popular open-source vulnerability scanner Nuclei, with the community-driven development of vulnerability checks.

  • GitHub PoCs: Security researchers often release PoCs on GitHub. Repositories like “PoC-in-GitHub” help track these PoCs. We examined the availability of valid PoCs for the selected vulnerabilities on GitHub.

The goal is to observe trends in the coverage of the selected vulnerabilities on those different platforms, and to compare the time it took for vulnerability plugins, check routines, or PoCs to become available.

2. Findings: Vulnerability Coverage

Nessus and Qualys Plugins

Out of the 741 vulnerabilities analyzed:

  • 738 vulnerabilities had plugins available in Nessus (representing 99.6% coverage).

  • 727 vulnerabilities had plugins available in Qualys (representing 98.1% coverage).

A key finding is the high ratio of passive plugins. For instance, only 46.42% of the Nessus plugins involved active checks, while the rest of the Nessus results are based on the target product’s reported version. The latter method is known to yield a high number of false positives.

Nuclei Templates and GitHub PoCs

On the open-source front, we found that out of the 741 vulnerabilities analyzed, 616 vulnerabilities were covered by Nuclei templates or GitHub PoCs (representing 83.1% coverage), including:

  • 237 vulnerabilities had associated Nuclei templates, providing detection capabilities for about 31.9% of the selected vulnerabilities.

  • 379 vulnerabilities had PoCs available on GitHub, accounting for about 51.1% of the selected vulnerabilities.

Observations

The results indicate that while open-source platforms provide tools for detecting vulnerabilities, their coverage is not as extensive as that of commercial platforms. However, it’s important to note that all check routines and PoCs from Nuclei and GitHub were active checks (offering high-fidelity results), and in this regard, their quantity surpasses that of commercial platforms.

3. Findings: Vulnerability Integration Speed (in Days)

Over the past two years, there has been significant variation in the time-to-response across the different platforms. The metrics, shown in the table below in days, highlight a consistent improvement in response times, with GitHub PoCs leading the way, followed closely by Qualys.

YearMedian CISAMedian NessusMedian QualysMedian NucleiMedian GitHub PoC
2019,916.00,1112.00,49.00,1551.00,19.00
2020,550.00,1400.00,6.00,1226.00,6.00
2021,150.50,649.50,51.50,798.00,22.00
2022,121.00,254.00,28.00,555.00,24.00
2023,88.00,105.00,7.00,95.00,2.00
2024,135.00,167.00,17.00,4.50,2.50

Observations

Response times for vulnerability detection have significantly improved over the last five years. GitHub PoCs saw a sharp drop in median response time from 19 days in 2019 to just 2 days in 2023, while Qualys reduced its median time from 49 days in 2019 to 7 days in 2023. Nessus also improved, with a decrease from 1112 days in 2019 to 105 days in 2023. Even Nuclei templates, which were slower, showed progress, with response times falling to 95 days in 2023. This trend highlights faster responses across commercial and open-source tools, enabling security teams to mitigate risks more quickly.

4. Implications for Security Teams

This analysis underscores the importance of utilizing both commercial and open-source vulnerability scanners. While commercial tools like Nessus and Qualys provide broader coverage, open-source tools like Nuclei and GitHub PoCs often deliver faster responses. Moreover, combining these platforms results in a higher ratio of high-fidelity findings. A hybrid approach enables organizations to address hacker-relevant vulnerabilities promptly while minimizing resource investment in vulnerability validation.

All Rights Reserved by ENTRYZERO GmbH

Website by Sanico Software

IMPRINT: ENTRYZERO GmbH, Grabenstraße 38, 44787 Bochum, Registered Office: Bochum, Registration Court: Local Court Bochum, Registration number: HRB 21709, VAT ID: DE369315057, Managing Directors: Dr. Mohamad Sbeiti, Samet Gökbayrak, Tel.: +49 151 56561989, Email: info@entryzero.ai

PRIVACY POLICY: This website does not collect any personal data. We do not use cookies, trackers, forms or similar technologies. However, by visiting our website you agree that for every site request the following non-personal information is stored on the webserver for statistical, intrusion detection/prevention and troubleshooting purposes: requested address (URL), request date and time, client IP address, user-agent and referer. No information is given to or shared with third parties