Nessus, Qualys, Nuclei, GitHub: Die Reaktion auf Schwachstellen Optimieren!
16.09.2024
ENTRYZERO
CISA (die US-amerikanische Cybersecurity and Infrastructure Security Agency) führt eine aktuelle Liste von 1162 relevanten Schwachstellen. Für jede dieser Schwachstellen hat CISA Beweise für die aktive Ausnutzung durch Bedrohungsakteure. 741 dieser Schwachstellen können ohne Benutzerinteraktion ausgenutzt werden. Wir haben diese Schwachstellen im Bezug auf Check-Routinen oder Proof-of-Concepts analysiert. Hierbei wurden die gängigen Plattformen Nessus, Qualys, Nuclei, und GitHub in Betracht gezogen. Die zentrale Frage lautet: Wie können wir die Reaktion auf Schwachstellen optimieren, um neuen Bedrohungen voraus zu sein?
0. Zusammenfassung
Die Ergebnisse unterstreichen die Bedeutung der Nutzung sowohl kommerzieller als auch Open-Source-Schwachstellenscanner. Während kommerzielle Plattformen wie Nessus und Qualys eine umfassendere Abdeckung bieten, liefern Open-Source-Tools wie Nuclei und GitHub PoCs oft schnellere Reaktionen. Darüber hinaus führt die Kombination dieser Plattformen zu einem höheren Anteil valider Ergebnisse. Ein hybrider Ansatz ermöglicht es Organisationen, die risikoreichsten Schwachstellen zeitnah zu beheben, während gleichzeitig der Ressourcenaufwand für die Validierung von Schwachstellen minimiert wird.
1. Data Collection Process
To answer the question above, we focused on 741 vulnerabilities from the CISA Known Exploited Vulnerabilities Database, a subset of the total 1162 vulnerabilities listed. This subset consists of vulnerabilities that do not have any user interaction requirements. We tracked those vulnerabilities across several platforms:
Nessus Plugin Documentation and Qualys Knowledge Base: We examined the availability of plugins to detect the selected vulnerabilities in two of the most widely used commercial vulnerability scanners, namely, Nessus and Qualys.
ProjectDiscovery Nuclei Templates: We examined the availability of check routine templates in the popular open-source vulnerability scanner Nuclei, with the community-driven development of vulnerability checks.
GitHub PoCs: Security researchers often release PoCs on GitHub. Repositories like “PoC-in-GitHub” help track these PoCs. We examined the availability of valid PoCs for the selected vulnerabilities on GitHub.
The goal is to observe trends in the coverage of the selected vulnerabilities on those different platforms, and to compare the time it took for vulnerability plugins, check routines, or PoCs to become available.
2. Findings: Vulnerability Coverage
Nessus and Qualys Plugins
Out of the 741 vulnerabilities analyzed:
738 vulnerabilities had plugins available in Nessus (representing 99.6% coverage).
727 vulnerabilities had plugins available in Qualys (representing 98.1% coverage).
A key finding is the high ratio of passive plugins. For instance, only 46.42% of the Nessus plugins involved active checks, while the rest of the Nessus results are based on the target product’s reported version. The latter method is known to yield a high number of false positives.
Nuclei Templates and GitHub PoCs
On the open-source front, we found that out of the 741 vulnerabilities analyzed, 616 vulnerabilities were covered by Nuclei templates or GitHub PoCs (representing 83.1% coverage), including:
237 vulnerabilities had associated Nuclei templates, providing detection capabilities for about 31.9% of the selected vulnerabilities.
379 vulnerabilities had PoCs available on GitHub, accounting for about 51.1% of the selected vulnerabilities.
Observations
The results indicate that while open-source platforms provide tools for detecting vulnerabilities, their coverage is not as extensive as that of commercial platforms. However, it’s important to note that all check routines and PoCs from Nuclei and GitHub were active checks (offering high-fidelity results), and in this regard, their quantity surpasses that of commercial platforms.
3. Findings: Vulnerability Integration Speed (in Days)
Over the past two years, there has been significant variation in the time-to-response across the different platforms. The metrics, shown in the table below in days, highlight a consistent improvement in response times, with GitHub PoCs leading the way, followed closely by Qualys.
| Year | Median CISA | Median Nessus | Median Qualys | Median Nuclei | Median GitHub PoC |
|---|---|---|---|---|---|
| 2019,916.00,1112.00,49.00,1551.00,19.00 | |||||
| 2020,550.00,1400.00,6.00,1226.00,6.00 | |||||
| 2021,150.50,649.50,51.50,798.00,22.00 | |||||
| 2022,121.00,254.00,28.00,555.00,24.00 | |||||
| 2023,88.00,105.00,7.00,95.00,2.00 | |||||
| 2024,135.00,167.00,17.00,4.50,2.50 |
Observations
Response times for vulnerability detection have significantly improved over the last five years. GitHub PoCs saw a sharp drop in median response time from 19 days in 2019 to just 2 days in 2023, while Qualys reduced its median time from 49 days in 2019 to 7 days in 2023. Nessus also improved, with a decrease from 1112 days in 2019 to 105 days in 2023. Even Nuclei templates, which were slower, showed progress, with response times falling to 95 days in 2023. This trend highlights faster responses across commercial and open-source tools, enabling security teams to mitigate risks more quickly.
4. Implications for Security Teams
This analysis underscores the importance of utilizing both commercial and open-source vulnerability scanners. While commercial tools like Nessus and Qualys provide broader coverage, open-source tools like Nuclei and GitHub PoCs often deliver faster responses. Moreover, combining these platforms results in a higher ratio of high-fidelity findings. A hybrid approach enables organizations to address hacker-relevant vulnerabilities promptly while minimizing resource investment in vulnerability validation.
