Name of Your Organization:

Rapid7 LLC

Web Site:

www.rapid7.com

Compatible Capability:

NeXpose

Capability home page:

http://www.rapid7.com
General Capability Questions

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Rapid7 provides the NeXpose Vulnerability Scanner to its customers through a secure download link available from http://www.rapid7.com/nexpose-download.htm Once operational, Nexpose displays CVE and CAN numbers for applicable vulnerabilities as part of their description. This information appears within reports, as well as within a separate search functionality.
Mapping Questions

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

NeXpose monitors new and changed CVE entries via the CVE mailing list and changelog rather than merging the complete CVE database into the Vulnerability Database each time there is a CVE version update. Therefore it does not need to indicate a CVE version number since NeXpose always uses the most up-to-date CVE listing.

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

NeXpose monitors new and changed CVE entries via the CVE mailing list and changelog rather than merging the complete CVE database into the Vulnerability Database each time there is a CVE version update.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

NeXpose connects to Rapid7's servers and obtains the most up to date vulnerability definitions every 6 hours.

Documentation Questions

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

Candidate Support Questions

11) Candidates Versus Entries Indication <CR_6.1>

If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):

CVE Candidates are displayed with the CAN preface, as opposed to the CVE preface.

12) Candidates Versus Entries Explanation <CR_6.2>

If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):

The CVE name links directly back to the CVE online database and the candidate information is displayed at the top of the page.

13) Candidate to Entry Promotion <CR_6.3>

If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):

We are subscribed to the CVE mailing list and change logs and update CAN/CVE listings regularly. Customers aren't specifically told as they will automatically see the new reference and be linked to the correct definition.

14) Candidate and Entry Search Support <CR_6.4>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):

By selecting the Search CVE/CAN option in the selection box under the text search field, the user can search for a CVE or a CAN using the YYYY-NNNN portion of the CVE name.

15) Search Support for Promoted Candidates <CR_6.5>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's support for retrieving the CVE entry for a candidate that is no longer a candidate (recommended):

There is no indication that a CVE candidate has changed to an official CVE other than the "CAN" notation changes to "CVE."

16) Candidate Mapping Currency Indication <CR_6.6>

If CVE candidates are supported or used, explain where and how you tell your users how up-to-date your candidate information is (recommended):

No special CVE update is needed. The CVE's are updated as part of the regular NeXpose vulnerability update which occurs every 6 hours.

Type-Specific Capability Questions

Tool Questions

17) Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

The user can type in the CVE name into the full text vulnerability search box on any page of the application. To see more information pertaining to the CVE vulnerability, the user can click on the vulnerability and detailed information will appear. This includes a link to the CVE detail page on the MITRE web site.

18) Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

  • Login to NeXpose Security Console
  • Select "Reports"
  • Select an Audit Report for an Asset Group, Site or Device
  • Vulnerabilities with associated CVE Numbers are listed
  • Click on a CVE number to redirect the browser to the Mitre CVE page detailing the specific vulnerability

21) Selecting Tasks Using Individual CVE Names <CR_A.2.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):

The user can select any CVE or CAN by typing in all or part of the name into the Vulnerability Search box on the right side of the NeXpose Security Console.

Online Capability Questions

26) Finding Online Capability Tasks Using CVE Names <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):

The user can select any CVE or CAN by typing in all or part of the name or number into the Vulnerability Search box on the right side of the NeXpose Security Console.

27) Online Capability Interface Template Usage <CR_A.4.1.1>

Provide a detailed description of how someone can use your "URL template" to interface to your capability's search function (recommended):

Examples:

http://www.example.com/cgi-bin/db-search.cgi?cvename=CVE-YYYY-NNNN
http://www.example.com/cve/CVE-YYYY-NNNN.html

Each vulnerability in NeXpose is assigned a unique ID number. The details for specific vulnerability can be linked directly in the following manner:

https://{servername}:{port}/vulnerability.html?vulnid={vul_number}

29) Finding CVE Names Using Online Capability Elements <CR_A.4.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report (required):

In the Discovered Vulnerabilities section of an Audi Report the associated CVE is listed under the reference heading. The user can then click on a CVE or CAN number and the page will be redirected to the CVE detail page on the Mitre website.

Graphical User Interface (GUI)

34) Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

The user can find any CVE or CAN by typing in all or part of the name or number into the Vulnerability Search box on the right side of the NeXpose Security Console.

35) GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

Within NeXpose vulnerability database, CVE IDs for individual vulnerabilities can be found by 'drilling down' to each vulnerability detail page. A user simply clicks on the vulnerability's name and is presented with a details screen containing the individual CVE ID(s) associated with that condition.

36) GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

Reports can be exported in HTML, XML, CVS, PDF, Text, or dumped into an SQL database. These reports contain detailed information about each vulnerability found including the relevant CVE information.

Questions for Signature

37) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Alan Matthews

Title: CEO

38) Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Alan Matthews

Title: CEO

39) Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Alan Matthews

Title: CEO

Page Last Updated or Reviewed: April 28, 2016