To identify security vulnerabilities more quickly the cyber security team at the FT is exploring building automation around security testing. In addition to this, we have started to implement a vulnerability management process by which we can automatically track these vulnerabilities and assign owners to findings.

为了更快地识别安全漏洞，英国《金融时报》的网络安全团队正在探索围绕安全测试的楼宇自动化。 除此之外，我们已经开始实施漏洞管理流程，通过该流程我们可以自动跟踪这些漏洞，并将所有者分配给调查结果。

Vulnerability management is the process of identifying, classifying, prioritising and remediating vulnerabilities in a continuous manner. But just what is the correct way to implement this in your organisation? There is no simple answer. It’s all about doing your research into what works best for the way teams in your organisation work and what will be most effective.

漏洞管理是以连续的方式识别，分类，划分优先级和补救漏洞的过程。 但是，在您的组织中实现此目标的正确方法是什么？ 没有简单的答案。 这是所有关于您的组织中团队的工作方式最有效以及最有效的方法的研究。

跟踪安全发现 (Keeping track of security findings)

When security issues are identified, the first step is to track the issue in an agreed location. If you have ever worked in a security team in any organisation, you’ll know that keeping track of all the issues identified by automated scanners, bug bounty programs and penetration tests… can be a daunting task. The first problem that needs to be addressed is how and where do you track security findings? Maybe findings can all be tracked in a single spreadsheet?

确定安全问题后，第一步是在商定的位置跟踪问题。 如果您曾经在任何组织的安全团队中工作过，您就会知道跟踪自动扫描程序，漏洞赏金计划和渗透测试所发现的所有问题……可能是一项艰巨的任务。 需要解决的第一个问题是您如何以及在何处跟踪安全性发现？ 也许可以在单个电子表格中跟踪所有发现？

While this may work for some organisations, having a single spreadsheet to track every security issue can get messy and very quickly get hard to use. Also, updating a spreadsheet for every security issue identified is a very manual process, and can often lead to single person dependencies.

尽管这对于某些组织可能有用，但只有一个电子表格来跟踪每个安全问题可能会变得凌乱，并且很快会变得难以使用。 同样，针对每个已发现的安全问题更新电子表格是一个非常手动的过程，通常会导致单人依赖。

Additionally, assigning owners to remediate the identified issues is a problem. Doing this through a spreadsheet doesn’t notify owners and leaves teams chasing individuals. Overall, the process isn’t smooth, it takes a great amount of time and spreadsheets are just not the best way to do this.

此外，分配所有者来补救已确定的问题是一个问题。 通过电子表格执行此操作不会通知所有者，而会使团队追逐个人。 总体而言，该过程并不顺利，需要花费大量时间，而电子表格并不是实现此目的的最佳方法。

This is where we were, and it just wasn’t working. We needed some sort of system where interaction was seamless and could be automated. But just where to start!?

这是我们曾经在的地方，但是当时没有用。 我们需要一种可以无缝交互并且可以自动化的系统。 但是，从哪里开始！

如何选择正确的产品 (How to choose the correct product)

Sure, there are various vulnerability management systems out there, but most are quite costly and not always customisable. At the FT, we opted for using OWASP’s open source project Defectdojo due to the product being largely customisable for our needs at the FT.

当然，那里有各种漏洞管理系统，但是大多数漏洞管理系统成本很高，而且并非总是可定制的。 在英国《金融时报》，我们选择使用OWASP的开源项目Defectdojo，因为该产品在很大程度上可以根据英国《金融时报》的需求进行定制。

Defectdojo allows you to maintain vulnerability findings in one centralised location and integrates with tooling such as Jira and Slack, used for tracking and notifying teams. It also provides support for the integration from multiple sources such as Nessus, Nmap and Hackerone, to name a few. Additionally, there are many options available to customise Defectdojo, thanks to its API.

Defectdojo使您可以在一个集中的位置维护漏洞发现，并与Jira和Slack之类的工具集成在一起，这些工具用于跟踪和通知团队。 它还提供了来自多个来源的集成支持，例如Nessus，Nmap和Hackerone。 此外，得益于其API ，还有许多可用于自定义Defectdojo的选项。

将漏洞链接到产品 (Linking vulnerabilities to products)

Having the ability to import findings into Defectdojo is great, but we also needed a way to assign the findings to products and product owners. At the FT, we use a custom built product called Biz Ops. Biz Ops is where the FT retains information about its business operations, such as what our systems are, who owns the systems and in-depth data about other functionality that may be useful to teams. All of it queryable via an API.

能够将发现结果导入Defectdojo非常棒，但是我们还需要一种将发现结果分配给产品和产品所有者的方法。 在英国《金融时报》，我们使用名为Biz Ops的定制产品。 FT在Biz Ops保留有关其业务运营的信息，例如我们的系统是什么，拥有系统的人以及有关可能对团队有用的其他功能的深入数据。 所有这些都可以通过API查询。

Each system or product within Biz Ops is linked with a corresponding “system code”. By utilising the Biz Ops API it was possible for us to integrate system codes into the “products” section of Defectdojo, thus having a way to link vulnerabilities to systems. Once you have a system code, there is a very high chance that you will also have a linked system owner.

Biz Ops中的每个系统或产品都与相应的“ 系统代码 ”链接。 通过使用Biz Ops API，我们可以将系统代码集成到Defectdojo的“ 产品”部分中，从而可以将漏洞链接到系统。 拥有系统代码后，很有可能还会有一个链接的系统所有者。

Now, with the ground work complete, we started to look at how to automate the process of populating findings directly from our current scanners into Defectdojo.

现在，在完成基础工作之后，我们开始研究如何将直接从当前扫描仪中的调查结果直接填充到Defectdojo中的过程自动化。

导入所有东西 (Importing all the things)

As mentioned at the start of this post, Defectdojo provides support for uploading scan results from a variety of different tooling, including custom built scanners. By making use of the Defectdojo API it was possible for us to upload a variety of different report types generated by tooling used throughout the FT.

如本文开头所述，Defectdojo提供了对从各种不同工具(包括定制的扫描仪)上载扫描结果的支持。 通过使用Defectdojo API，我们可以上传由整个FT使用的工具生成的各种不同的报告类型。

Our scanners all run on a scheduled basis and write their results to a common S3 bucket.

我们的扫描仪均按计划运行，并将其结果写入通用的S3存储桶。

Going one step further to automate our vulnerability management process, we created Lambdas that would trigger every time a new object was put into the S3 bucket. Every time the Lambdas are triggered, they upload new scans to Defectdojo.

为了使漏洞管理流程自动化，我们进一步创建了Lambda，这些Lambda在每次将新对象放入S3存储桶时都会触发。 每次触发Lambda时，它们都会将新扫描上传到Defectdojo。

Additional tooling was created by the team to ensure that all scan names could be assigned to system codes before being written to S3. Having all scan results assigned to a system code and product owner inside Defectdojo means that there is no more trawling through outdated spreadsheets to find out who can fix serious security issues. Instead, the whole process of assigning results to products and products to owners is fully automated.

该团队创建了其他工具，以确保在将所有扫描名称写入S3之前可以将其分配给系统代码。 将所有扫描结果分配给Defectdojo内部的系统代码和产品所有者，意味着您无需再通过过时的电子表格来查找谁可以解决严重的安全问题。 相反，将结果分配给产品以及将产品分配给所有者的整个过程是完全自动化的。

接下来是什么！ (What’s up next!)

Of course this isn’t perfect, we still have a long way to go. For now, we have set up regular scans that run on schedules, results that automatically export into S3 buckets on scan completion and finally, results that can be imported into our vulnerability management system which links to products and product owners, thanks to Biz Ops.

当然这不是完美的，我们还有很长的路要走。 目前，我们已经设置了按计划运行的常规扫描，在扫描完成时将结果自动导出到S3存储桶中，最后，由于Biz Ops，可以将结果导入到与产品和产品所有者链接的漏洞管理系统中。

So, what’s next in our pipeline? Next up, we plan to surface the information contained in Defectdojo to teams by integrating with Jira and making further use of the Biz Ops API to ensure that tickets are created in the correct team’s Jira boards. This will bring us a step closer to automating the full end-to-end vulnerability management process.

那么，我们的下一步计划是什么？ 接下来，我们计划通过与Jira集成并进一步使用Biz Ops API来向团队展示Defectdojo中包含的信息，以确保在正确的团队的Jira董事会中创建票证。 这将使我们更接近于自动化完整的端到端漏洞管理过程。