16. 07. 2024 Beatrice Dall'Omo Blue Team, Red Team, SEC4U

Automate Business Processes with APIs: python-gvm

Have you already read this blog post Adding soar features to the soc part 1 vulnerability management? If not, you have to! It explains the SOAR features leveraged by the Würth Phoenix SOC and how we implement our Vulnerability Management process.

In this article, I’ll take a step back, focusing on what happens before the Vulnerability Management process. That is, the Vulnerability Assessment.

In particular, I’ll go through the process of adding and configuring targets for the vulnerability scans, and launching the monthly scans for the public perimeters communicated by our SOC customers. All these actions happen on Greenbone, the world’s most trusted provider of open source vulnerability management. They’ve been automated through the use of the Greenbone Vulnerability Management Python Library (python-gvm) that lets you remotely control both the Greenbone Enterprise Appliance installations and the Community Edition, with some limitations.

Greenbone Vulnerability Management Python Library

You can find all the information about installation, usage and API documentation here, while the source code of the Python library is available on GitHub.

Python-gvm can be installed in three ways, using pip, poetry or pipenv, depending on the workflow that needs to be implemented or on the skills of the developer. According to our process and needs, we use python-gvm through poetry, a tool for dependency management and packaging in Python.

With poetry we were able to implement three different modules to be launched in standalone mode, where the first one launches vulnerability scans, the second one updates data (of targets and tasks) on the Greenbone machine, and the third saves the reports related to the most recent scans launched.

With the coordination of the execution of these three scripts, we’ve managed to obtain periodic monthly scans on up-to-date data of our SOC customers along with the related reports. In the following paragraphs I’ll focus on these three modules.

Launch scan

When executed, this module launches vulnerability scans on the already-configured tasks for each SOC customer. Each task is linked to a target referring to the IP addresses or subnets that have to be analyzed. The following is an example of the configuration of a task to perform a Greenbone scan for a target.

Greenbone allows you to choose among several customizations about the type of scan, the results obtained or the port list that has to be tested. They depend for example on the needs or on the type of machines you want to analyze.

Once you’ve configured everything, you can start the scan by clicking on the “play” icon.

The launch scan module simply starts the tasks such that only one of them is running at a specific time. This allows for no overlapping of scans and for a better organization of the available resources.

Update data

This module executes once a month before the previous module, i.e., before starting the new vulnerability scans for the current month. It updates customer data about public perimeters to scan since they will most likely change over time, keeping Greenbone targets and the related task up to date.

Save latest reports

This module saves the reports that are provided by Greenbone and are related to the last scan executed, both in PDF and in CSV format.

Fig.5: Download report after vulnerability scan

The PDF version offers a more visually-oriented report of the results obtained compared to the CSV format. These reports will then be processed to provide data for the next steps of the Vulnerability Management process.

Takeaways

Greenbone’s user interface allows the user to perform all the actions that we’ve automated through the use of the Python APIs, in other words to schedule scans, change targets and run the related tasks or manually download the reports once a scan is finished.

On the other hand, by using API capabilities Greenbone appliances can be further configured more granularly by interacting directly with the underlying protocols and removing any limitations that may be faced when using the web interface. It gives you all the powers of additional Python libraries to be employed in further processes. Finally, the APIs allow for easier automation of processes in your organization, optimize business operations, reduce errors and increase overall productivity.

These Solutions are Engineered by Humans

Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find cybersecurity issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.