Name of Your Organization:

Globant / Sistemas Globales S.A

Web Site:

www.globant.com

Compatible Capability:

ATTAKA

Capability home page:

http://www.globant.com/Content/Studios/Sustainable_Infostructure/services.html
General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Attaka is a 24/7 available service through a web based platform. It is a paid service for those companies which want to assess their Internet exposed servers' vulnerabilities and track their remediation.

Mapping Questions

Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

CVE names associated with our security elements are updated each week by an automatic process.

In order to check the date when our Vulnerability Database you have to follow this steps:

  1. Log in to our product.
  2. Click on the menu bar item called Help
  3. Click on "Vulnerability" section on the left panel, at the end of this section you are going to find the last time when our Vulnerability Database was updated (red circled).
Map Currency Indication

Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (required):

Attaka takes CVE References from Vulnerabilities' description from Nessus Database. Each week when Nessus' Vulnerabilities are updated CVE references are updated. CVE References are directly linked to Mitre's webpage. There's no need to updated any CVE Database of our own.

Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect newly available CVE content (required):

Each week when Nessus' Vulnerabilities are updated CVE references are updated.

Map Content Selection Criteria <CR_5.4>

Describe the criteria used for determining the relevance of a given CVE Identifier to your Capability (required):

Attaka uses this criteria for determining the relevance of a given CVE Identifier, according with CVSS v2 score.

Level Severity Description
10 High / Hole Urgent/Critical
7-9 High / Hole High
4-6 Medium Medium
1-3 Low Low

Risk Category Risk Consideration
Severe Risk Urgent Risk 5
Critical Risk 4
High Risk 3
Lowest Risk Medium Risk 2
Low Risk 1

Map Currency Update Mechanism <CR_5.4>

Describe the mechanism used for reviewing CVE for content changes (required):

Attaka takes CVE References from Vulnerabilities' description from Nessus Database. Each week when Nessus' Vulnerabilities are updated CVE references are updated. CVE References are directly linked to Mitre's webpage.

Map Content Source <CR_5.5>

Describe the source of your CVE content (required):

Attaka takes CVE References from Vulnerabilities' description from Nessus Database.

Documentation Questions

CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

To see our documentation about CVE MITRE and Compatibility you have to follow these instructions:

  1. Log in to our product.
  2. Click on the menu bar item called Help
  3. Click on "CVE MITRE Compatibility" section on the left panel.
CVE and Compatibility Documentation

Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

Our customers can look up by many reference types, including CVE MITRE, to read about that you have to follow these steps:

  1. Log in to our product.
  2. Click on the menu bar item called Help. A pop up will be open.
  3. Click on "Vulnerabilities" section and then check "Search Vulnerabilities" on the left panel. You'll find how to search for a specific reference ID.
Documentation of Finding Elements Using CVE Names

Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

Our customers can look up by OW-ID (Our own vulnerability identification coding) and obtain associated CVE names to it, to read about that you have to follow these steps:

  1. Log in to our product.
  2. Click on the menu bar item called Help. A pop up will be open.
  3. Click on "Vulnerabilities" and you will found out in Vulnerability List sub-section a description about what information is brought by our platform including CVE names associated.

Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

Our online help product support has got an index to indicate where it is the information about our product's CVE MITRE Compatibility support. You can see it in the left panel of its main window. Here you are an screenshot of it, we have circled it.

Documentation Indexing of CVE-Related Material

Type-Specific Capability Questions

Tool Questions

Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

We are going to explain through screenshots how to browse our Vulnerability Repository and find out how tasks can be search and solve by CVE names:

  1. Search based on a CVE name in the Security vulnerability knowledge base:

    Main Screen > Vulnerability List More Icon

    Finding Tasks Using CVE Names

  2. Locate the task associated to the CVE name and expand it to find out details about how to remediate.

    Finding Tasks Using CVE Names

Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

We are going to explain through screenshots how to find a discovered vulnerability and its corresponding associated CVE names:

  1. Open up a Vulnerability Assessment Report clicking on the glass icon:

    Main Screen > Glass Icon

    Finding CVE Names Using Elements in Reports

  2. Expand an IP Address Technical Analysis

    Finding CVE Names Using Elements in Reports

  3. Go to "Appendix: Detected Vulnerabilities" sub-section and you will find all vulnerabilities founded on that IP Address and its associated CVE names. Plus, you can click on the CVE names and open their associated information on CVE MITRE Web Page.

    Finding CVE Names Using Elements in Reports

Selecting Tasks Using Individual CVE Names <CR_A.2.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the tool by using individual CVE names (recommended):

Please, refer to question A.2.1.

Service Questions

Service Coverage Determination Using CVE Names <CR_A.3.1>

Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):

The following instructions show you how to look for a specific CVE name to find out which security vulnerability / element has been discovered:

  1. Open up a Vulnerability Assessment Report clicking on the glass icon:

    Main Screen > Glass Icon

    Service Coverage Determination Using CVE Names

  2. Execute the printing view of the vulnerability assessment report.

    Service Coverage Determination Using CVE Names

  3. Click on Expand button and press the "Find" function on your web browser, usually its shortcut it is CTRL + F and type the desired CVE name.

    Service Coverage Determination Using CVE Names

Finding CVE Names in Service Reports Using Elements <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):

The following instructions show you how to look for a discovered vulnerability and its corresponding associated CVE names:

ON THE VULNERABILITY ASSESSMENT REPORT

  1. Open up a Vulnerability Assessment Report clicking on the glass icon:

    Main Screen > Glass Icon

    Finding CVE Names in Service Reports Using Elements

  2. Expand an IP Address Technical Analysis

    Finding CVE Names in Service Reports Using Elements

  3. Go to "Appendix: Detected Vulnerabilities" sub-section and you will find all vulnerabilities founded on that IP Address and its associated CVE names. Plus, you can click on the CVE names and open their associated information on CVE MITRE Web Page.

    Finding CVE Names in Service Reports Using Elements

ON THE VULNERABILITY ASSESSMENT REMEDIATION TOOL

  1. Open up a Vulnerability Assessment Remediation Tool clicking on the tool icon:

    Main Screen > Tool Icon

    Finding CVE Names in Service Reports Using Elements

  2. Click on any Vulnerability title and a pop up windows will display its CVE name(s) associated. Furthermore, you are able to see CVE name's description clicking on it.

    Finding CVE Names in Service Reports Using Elements

Service's Product Utilization Details <CR_A.3.4>

Please provide the name and version number of any product that the service allows users to have direct access to if that product identifies security elements (recommended):

Users have direct access to our security platform only, they do not have access to the scanner tool.

Online Capability Questions

Finding Online Capability Tasks Using CVE Names <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):

We are going to explain through screenshots how to browse our Vulnerability Repository and find out how tasks can be search and solve by CVE names:

  1. Search based on a CVE name in the Security vulnerability knowledge base:

    Main Screen > Vulnerability List More Icon

    Service's Product Utilization Details

  2. Locate the task associated to the CVE name and expand it to find out details about how to remediate.

    Service's Product Utilization Details

Online Capability Interface Template Usage <CR_A.4.1.1>

Provide a detailed description of how someone can use your "URL template" to interface to your capability's search function (recommended):

There is a validation in our platform that forbids the user from changing the url.

Finding CVE Names Using Online Capability Elements <CR_A.4.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report. (required):

Please, see question A.2.1 and A.3.4. In each procedure documented in the previous questions you can check CVE name information clicking on them and a web browser with corresponding CVE information in MITRE website will appear.

Online Capability Element to CVE Name Mapping <CR_A.4.3>

If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CVE name(s), otherwise enter N/A (required):

For non-listed security elements you can look up in our database to find those ones with are associated with none or many CVE names. Just follow these instructions:

  1. Go to Main Screen > Vulnerability List More Icon
  2. Search based on a CVE name in the Security vulnerability knowledge base:

Note: You can type the CVE name in one of the following formats:

Format Example
CVE-YYYY-NNNN CVE-2004-0122
CAN-YYYY-NNNN CAN-2004-1064
YYYY-NNNN 2004-0122
Aggregation Capability Questions

Finding Elements Using CVE Names <CR_A.5.1>

Give detailed examples and explanations of how a user can associated elements in the capability by looking for their associated CVE name (required):

We are going to explain through screenshots how to browse our Vulnerability Repository and find out how tasks can be search and solve by CVE names:

  1. Search based on a CVE name in the Security vulnerability knowledge base:

    Main Screen > Vulnerability List More Icon

    Finding Elements Using CVE Names

  2. Locate the task associated to the CVE name and expand it to find out details about how to remediate.

    Finding Elements Using CVE Names

Finding CVE Names Using Elements in Reports <CR_A.5.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the capability allows the user to determine the associated CVE names for the individual security elements in the report (required):

We are going to explain through screenshots how to find a discovered vulnerability in the report and its corresponding associated CVE names:

  1. Open up a Vulnerability Assessment Report clicking on the glass icon:

    Main Screen > Glass Icon

    Finding CVE Names Using Elements in Reports

  2. Expand an IP Address Technical Analysis

    Finding CVE Names Using Elements in Reports

  3. Go to "Appendix: Detected Vulnerabilities" sub-section and you will find all vulnerabilities founded on that IP Address and its associated CVE names. Plus, you can click on the CVE names and open their associated information on CVE MITRE Web Page.

    Finding CVE Names Using Elements in Reports

Selecting Tasks Using Individual CVE Names <CR_A.5.6>

Describe the steps that a user would follow to browse, select, and deselect a set of tasks for the capability by using individual CVE names (recommended):

Please, refer to question A.2.1.

Media Questions

Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

Nowadays Attaka provides output in HTML and PDF Format.

Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

On our Vulnerability Assessment Report each security element are linked to its / their CVE names on the Appendix sub-section of every IP Address scanned where information about the security element are full explained.

Electronic Document Element to CVE Name Mapping <CR_B.3.3>

Provide example documents that demonstrate the mapping from the capability's individual elements to the respective CVE name(s) (recommended):

The CVE name is highly featured next to the OW-ID (Our own ID) on each query's web page (red circled). Examples:

VULNERABILITY ASSESSMENT REPORT:

Electronic Document Element to CVE Name Mapping

VULNERABILITY SEARCH:

Electronic Document Element to CVE Name Mapping

REMEDIATION SCREEN:

Electronic Document Element to CVE Name Mapping

Graphical User Interface (GUI)

Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

The following instructions show you how to look for a specific CVE name to find out which security vulnerability / element has been discovered:

  1. Open up a Vulnerability Assessment Report clicking on the glass icon:

    Main Screen > Glass Icon

    Finding Elements Using CVE Names Through the GUI

GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

Nowadays, Attaka provides a HTML formatted vulnerability assessment report and access to the full text of the report in text format inside the product interface.

GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

Attaka can export reports to PDF, we have documented that process at Help > Report > PDF Report Printing. After generate the PDF document you can look up for CVE-related text using your favourite PDF reader.

Questions for Signature

Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Federico Seineldin

Title: Globant Sustainable Infostructure Studio Managing Partner

Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Federico Seineldin

Title: Globant Sustainable Infostructure Studio Managing Partner

Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Federico Seineldin

Title: Globant Sustainable Infostructure Studio Managing Partner

Page Last Updated or Reviewed: April 28, 2016