Nessus, Qualys, Nuclei, GitHub: Optimizing Vulnerability Response!
Sep 16, 2024
ENTRYZERO
CISA (the U.S. Cybersecurity and Infrastructure Security Agency) maintains a list of known exploited vulnerabilities, currently encompassing 1162 vulnerabilities. For each of these, CISA has evidence of active exploitation by threat actors. Among these, 741 vulnerabilities can be exploited without requiring user interaction. Prompt response to those vulnerabilities is paramount to an organization’s cybersecurity defense. In this blog, we analyze data from CISA to assess how quickly these vulnerabilities were flagged for security professionals. We also investigate if and when vulnerability checks or Proof-of-Concepts (PoCs) were first published on platforms like Nessus, Qualys, Nuclei, and GitHub. Our key question is: How can we optimize vulnerability response to stay ahead of emerging threats?
1. Data Collection Process
To answer the question above, we focused on 741 vulnerabilities from the CISA Known Exploited Vulnerabilities Database, a subset of the total 1162 vulnerabilities listed. This subset consists of vulnerabilities that do not have any user interaction requirements. We tracked those vulnerabilities across several platforms:
Nessus Plugin Documentation and Qualys Knowledge Base: We examined the availability of plugins to detect the selected vulnerabilities in two of the most widely used commercial vulnerability scanners, namely, Nessus and Qualys.
ProjectDiscovery Nuclei Templates: We examined the availability of check routine templates in the popular open-source vulnerability scanner Nuclei, with the community-driven development of vulnerability checks.
GitHub PoCs: Security researchers often release PoCs on GitHub. Repositories like “PoC-in-GitHub” help track these PoCs. We examined the availability of valid PoCs for the selected vulnerabilities on GitHub.
The goal is to observe trends in the coverage of the selected vulnerabilities on those different platforms, and to compare the time it took for vulnerability plugins, check routines, or PoCs to become available.
2. Findings: Vulnerability Coverage
Nessus and Qualys Plugins
Out of the 741 vulnerabilities analyzed:
738 vulnerabilities had plugins available in Nessus (representing 99.6% coverage).
727 vulnerabilities had plugins available in Qualys (representing 98.1% coverage).
A key finding is the high ratio of passive plugins. For instance, only 46.42% of the Nessus plugins involved active checks, while the rest of the Nessus results are based on the target product’s reported version. The latter method is known to yield a high number of false positives.
Nuclei Templates and GitHub PoCs
On the open-source front, we found that out of the 741 vulnerabilities analyzed, 616 vulnerabilities were covered by Nuclei templates or GitHub PoCs (representing 83.1% coverage), including:
237 vulnerabilities had associated Nuclei templates, providing detection capabilities for about 31.9% of the selected vulnerabilities.
379 vulnerabilities had PoCs available on GitHub, accounting for about 51.1% of the selected vulnerabilities.
Observations
The results indicate that while open-source platforms provide tools for detecting vulnerabilities, their coverage is not as extensive as that of commercial platforms. However, it’s important to note that all check routines and PoCs from Nuclei and GitHub were active checks (offering high-fidelity results), and in this regard, their quantity surpasses that of commercial platforms.
3. Findings: Vulnerability Integration Speed (in Days)
Over the past two years, there has been significant variation in the time-to-response across the different platforms. The metrics, shown in the table below in days, highlight a consistent improvement in response times, with GitHub PoCs leading the way, followed closely by Qualys.
Year | Median CISA | Median Nessus | Median Qualys | Median Nuclei | Median GitHub PoC |
---|---|---|---|---|---|
2019,916.00,1112.00,49.00,1551.00,19.00 | |||||
2020,550.00,1400.00,6.00,1226.00,6.00 | |||||
2021,150.50,649.50,51.50,798.00,22.00 | |||||
2022,121.00,254.00,28.00,555.00,24.00 | |||||
2023,88.00,105.00,7.00,95.00,2.00 | |||||
2024,135.00,167.00,17.00,4.50,2.50 |
Observations
Response times for vulnerability detection have significantly improved over the last five years. GitHub PoCs saw a sharp drop in median response time from 19 days in 2019 to just 2 days in 2023, while Qualys reduced its median time from 49 days in 2019 to 7 days in 2023. Nessus also improved, with a decrease from 1112 days in 2019 to 105 days in 2023. Even Nuclei templates, which were slower, showed progress, with response times falling to 95 days in 2023. This trend highlights faster responses across commercial and open-source tools, enabling security teams to mitigate risks more quickly.
4. Implications for Security Teams
This analysis underscores the importance of utilizing both commercial and open-source vulnerability scanners. While commercial tools like Nessus and Qualys provide broader coverage, open-source tools like Nuclei and GitHub PoCs often deliver faster responses. Moreover, combining these platforms results in a higher ratio of high-fidelity findings. A hybrid approach enables organizations to address hacker-relevant vulnerabilities promptly while minimizing resource investment in vulnerability validation.