For most pentest teams, your vulnerability library is the result of years of work of finding vulnerabilities, writing up descriptions, compiling data, and putting it together into a database you can easily reference and copy from when building a pentest report. You need that library to ensure you can quickly and easily share information about found issues with clients.
With Cyver Core, you can automate using that vulnerability library with a suite of tools designed around vulnerability and finding management, import, and writeup automation. This includes an integrated vulnerability library where you can import your existing library, add to it, and automatically populate data across new uploads as you deliver work. The goal is to automate as much of the manual work of pentest delivery as possible, freeing you and your team up for more pentesting.
Vulnerability libraries and findings management is a big topic, but we’ll go over how Cyver Core approaches it as well as some of the features you can use to streamline your import and findings writeup processes.
Everything in One Place
The first step is that everything is in one place. Pentesters traditionally have extensive libraries in Word, Excel, a cloud tool, etc. When you have to write up a report, finding that data is a simple matter of CTRL-F-CTRL-C and done. That’s still time-consuming, and means potentially hours of selecting content, copying it, and then pasting it into the appropriate finding in your report. It’s also error prone and you might miss copying a few words or paste content into the wrong field, etc. That’s even worse when you start looking at CWE and CVE data or CVSS – you have to manually calculate everything and move it into your report.
Cyver Core moves everything into one platform, so all of your data is in one place. That means the vulnerability library, writeups, artifacts, client data, associated assets, associated technology, etc.
Moving everything into a central repository allows Cyver to automatically aggregate data, building out finding details with scoring, methodology, benchmarking, and recommendations, and other details all at once – with no copy-paste.
Import from Your Tooling
Cyver offers integrations into a growing suite of pentest tools as well as a RestAPI which you can use to build your own connections. These integrations allow you to connect to your tooling to automatically (or with a click) import your vulnerability findings to the Cyver Core platform.
Here, you can also import from Excel files or manually add a one-off finding.
During import you can:
- Auto-fill details from your vulnerability library such as descriptions, remediation, etc. You’ll still have to add your own artifacts to the finding as these are normally instance-specific. However, the details from your library will be automatically added to new uploaded vulnerabilities, saving you that time on copy-paste.
- Auto-fill scoring such as CWE, CVE, CVSS, methodology, etc., based on your pre-defined settings for the import. You can also add benchmarking for pass-fail scenarios for compliance norms or build your own scoring system.
- Auto-merge new findings into existing findings with the same name on the project, complete with a log of where the finding was found (which asset) and how many times the finding re-occurred so you always see which pentests the finding showed up on and where. Cyver Core allows you to maintain multiple vulnerability libraries so you can keep different libraries per client, per technology, methodology, language you deliver in, etc. This also means you’ll get to choose which library you’re merging descriptions from during the import.
- Generate recommendations and descriptions – If you don’t have recommendations written in Cyver Core, you can use our GenAI tool to automatically generate a findings description based on specific methodology, compliance norm, and client technology. You can also generate remediation recommendations and then automatically add those to the finding ticket.
- Findings are automatically linked to the pentest selected during upload – as well as to the client and assets selected. However, you can always save generic finding data to your library later.
These features mean that you can import the results of a scan or an export from a tool and then automatically add data from your vulnerability library, your reference links, scoring, etc. You can then check and edit everything yourself, add custom artifacts such as screenshots, and finalize it for the client.
Adding these details often doesn’t take much time per finding. However, over the course of hundreds of vulnerabilities per pentest, it adds up. Cyver saves you time on every vulnerability you find that’s already in the database, and ensures that when you have a completely new finding, saving it to the library is a simple click of a button.
Review Uploads
The larger your team, the more important it is that you have a review process in place to ensure that your quality assurance is on point. With Cyver Core, you can integrate role management and upload review directly into the import process. That includes role management, task lists, assigned tasks, and a commenting function.
This means that when a pentester uploads a finding, they can immediately edit the status to “To Review”. From there, the assigned person will receive a notification to check the finding. That could be a writer, a senior pentester, or another pentester to ensure you have quality assurance in place. They can then leave comments, make changes, start a discussion, or approve and publish the finding.
Findings Library
Your vulnerability library is an important part of your pentest delivery. With Cyver Core, it’s also directly in your pentest management platform, where you can easily edit, automatically pull data, and add new findings as they come in.
Cyver’s findings library also makes building, maintaining, and accessing your vulnerability libraries easier than ever. For example, your findings are searchable, taggable, and you can automatically merge duplicate entries. You can also create multiple versions of your library for different technologies and methodologies, meaning you can have severity and weights pre-selected for the specific type of pentesting you’re running.
The goal is that you can easily pull content for commonly occurring vulnerabilities so you only ever have to do your writeups once.
Some recommendations from Cyver:
- Review your reporting needs and decide if you need one or more libraries. If you deliver in different languages or have custom writeup needs for one type of pentest, you may want more than one library. Make sure you use a clear naming scheme for your libraries so it’s easy to see which you want to select when you’re building a pentest report
- Create or import your vulnerability library. Review descriptions, generic recommendations, data like CVSS, etc.
- Clone new findings from a pentest in Cyver to add generic (non-client specific) information from the finding to your library so you only have to create new writeups once.
- Use a naming scheme and labels for your findings. This makes them easier to search and add but also means you can use tokens to automatically add types of findings into a report section.
These features are designed to ensure you can very easily maintain your vulnerability library right in Cyver Core – while more easily pulling data from it when you need it.
Findings as Tickets
Cybersecurity is increasingly switching focus away from using pentests for compliance and towards using pentests to remediate vulnerabilities. This means that more and more often, clients need findings delivered as a ticket and not as a report. With Cyver, you can directly share the uploaded vulnerability finding to the client, right in the client portal. The client can then track status, ask for details, see remediation information, and mark the finding as remediated right in the platform. Cyver also offers exports to ticket management systems such as Jira, so clients can easily export work items to their teams.
Findings tickets include:
- Finding details
- Proof of finding such as screenshots
- Methodology
- Scoring/Criticality data
- Remediation tips
- A custom chat-space where clients can contact penesters about the specific finding
- Status tracking showing number of recurrences, time open, accepted/open/remediated status, and retest tracking
Findings as tickets mean you can deliver pentests in a way that clients can immediately start work. While some clients will still need the PDF report for compliance, findings as tickets offer a better approach to pentest delivery for remediation and actually fixing findings. In addition, they allow for automated metrics like average time to fix, common vulnerability type, commonly affected assets, and alerts when findings stay open for longer than norms for that severity.
Eventually, Cyver Core functions as a central hub for your vulnerability finding management – with your library, imports from tooling, severity and metrics, and delivery all in one place. Plus, with options to save findings from imports to the library, you can automatically ensure custom content is reusable across pentests, saving you time on future projects.
If you’d like to learn more about how Cyver Core streamlines vulnerability management and your vulnerability library, contact us for a demo.