Vendor Provided Validation Details - Greenbone Security Manager 1.7.0

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. 

 

Statement of CPE Implementation

The Greenbone Security Manager (GSM) implements the Common Platform Enumeration (CPE) standard by reporting the CPE name for all applications and operating systems which could be reliably identified and for which a CPE name exists in the CPE dictionary provided by the National Institute of Standards (NIST).

The Greenbone Security Manager use an internal CPE database which is synchronized in frequent intervals with the CPE dictionary maintained by NIST.

Whenever an application, hardware device or an operating systems is detected during a vulnerability scan by one or more of the Network Vulnerability Tests (NVTs) used by the Greenbone Security Manager, it is checked against the CPE database. If an CPE name exists, it is included in the scan results.

The CPE data is used during the scan to map the target systems and optimize sequence of NVTs.

Using the CPE names detected in previous scans in combination with updated CVE data, the Greenbone Security Manager is capable of doing Prognostic Scans by warning users of potential threats as soon as new CVE data becomes available even without the need to access the system.

Using the Asset Management feature it is possible to browse the collection of CPEs detected during vulnerability scans and to access information about the individual CPEs.

A separate list of the CPEs detected during a vulnerability scan can be accessed by downloading the report in the CPE format provided by the CPE report format plugin. This format includes entries for all detected CPEs and for all target systems on which the CPEs were detected.

Using the SecInfo Management feature users can search and view the CPE data as provided by NIST.

 

Statement of CVE Implementation

The Greenbone Security Manager (GSM) implements the Common Vulnerabilities and Exposures (CVE) standard by reporting the CVE ID for all vulnerabilities which could be reliably identified and for which a CVE ID exists in the CVE dictionary provided by the National Institute of Standards (NIST).

The Greenbone Security Manager use an internal CVE database which is synchronized in frequent intervals with the CVE dictionary maintained by NIST.

When a Network Vulnerability Test (NVT) detects a vulnerability during a vulnerability scan, it will automatically include the CVE ID for the identified vulnerability in the scan report if there is a corresponding CVE.

Using the CPE names detected in previous scans in combination with updated CVE data, the Greenbone Security Manager is capable of doing Prognostic Scans by warning users of potential threats as soon as new CVE data becomes available even without the need to access the system.

The SecInfo Management feature offers to view the CVE data as provided by NIST and allows the user to browse the entire set of CVE data available in the CVE dictionary.

 

Statement of CVSS Implementation

The Greenbone Security Manager (GSM) implements the Common Vulnerability Scoring System (CVSS) standard by including the CVSS score for all vulnerabilities which could be reliably identified and for which a CVSS score has be assigned by the Forum of Incidence and Response Security Teams (FIRST).

The Greenbone Security Manager uses the CVSS scores present in the CVE database provided by the National Institute of Standards (NIST) to display the CVSS base score and the corresponding metrics. For vulnerabilities for which the FIRST has not yet assigned a CVSS score, the score is calculated based on the guidelines published by NIST.

The CVSS base score is used as a basis for determining the Threat Level of detected vulnerabilities and is displayed prominently for all vulnerabilities where a CVSS score is available.

It is possible to sort scan results based on their CVSS base scores or to list only results with a CVSS score greater than an user defined threshold.

The user interface allows the user to explore the CVSS scores and additional information for all CVEs in the CVE database provided by NIST.

 

Statement of SCAP Implementation

The Greenbone Security Manager (GSM) implements the Unauthenticated Vulnerability Scanner capability as defined in the Security Content Automation Protocol (SCAP) by implementing Common Platform Enumeration (CPE), Common Vulnerabilities and Exposures (CVE) and Common Vulnerability Scoring System (CVSS) standards.

The Greenbone Security Manager uses and internal database for SCAP data which is synchronized in frequent intervals with the SCAP data repositories maintained by the National Institute of Standards (NIST).

The Greenbone Security Manager uses CPE, CVE and CVSS extensively and allows users to browse and explore security information based on these standards. Users can interactively access the internal SCAP database to view cross-referenced security information for all available CVE and CPE entries, even if there is no vulnerability test available for this issue.

Wherever appropriate, the Greenbone Security Manager will include SCAP data in the vulnerability scan result. This includes references to the CVEs for detected vulnerabilities including the CVSS base score and references to the CPE names for identified operating systems, hardware devices and applications.

When displaying SCAP data, the Greenbone Security Manager indicates the date when the data was generated and when it was last updated.