Automating vulnerability management
While working as a vulnerability analyst, I had to work with an EASM to
manage vulnerabilities from their discovery up to their remediation.
I realised that I was wasting too much time in manual tasks, like rechecking
each bad quality result of the EASM or searching the person to contact for
a server. I decided to automate the process and spend time on tasks where I
make the difference.
Using Python and combined to Sanca, testssl and e-mail automation, I ended up with a tool able to:
- scan servers and websites for several types of vulnerabilities (thanks to Sanca & testssl)
- find the right person to contact
- create a ticket
- retest vulnerabilities and close tickets if the vulnerabilies are fixed
- send communication to the contact person about the vulnerability (thanks to e-mail automation)
None of these tools had been requested by the company. Despite this, except Sanca which is a personal project, they all have been shared with the company. With a clean documentation, of course.