Automating vulnerability management

While working as a vulnerability analyst, I had to work with an EASM to manage vulnerabilities from their discovery up to their remediation.
I realised that I was wasting too much time in manual tasks, like rechecking each bad quality result of the EASM or searching the person to contact for a server. I decided to automate the process and spend time on tasks where I make the difference.

Using Python and combined to Sanca, testssl and e-mail automation, I ended up with a tool able to:

  • scan servers and websites for several types of vulnerabilities (thanks to Sanca & testssl)
  • find the right person to contact
  • create a ticket
  • retest vulnerabilities and close tickets if the vulnerabilies are fixed
  • send communication to the contact person about the vulnerability (thanks to e-mail automation)

None of these tools had been requested by the company. Despite this, except Sanca which is a personal project, they all have been shared with the company. With a clean documentation, of course.