Cisco provides a choice of ways to learn about the security vulnerabilities it reports. Users and administrators can check Cisco's security page. They can subscribe to a mailing list, an RSS feed, or a notification service. The most versatile option is the PSIRT OpenVuln API. It's lets organizations run applications to monitor and respond to vulnerabilities in customized ways. They can use existing applications or create their own.
In creating OpenVuln, Cisco is aiming not only to present information in more adaptable ways, but to encourage the development of open security automation standards.
OpenVuln lets a custom application get the latest information through a REST API. RESTful queries are equivalent to HTTP URLs, so an application can use Web-related code libraries to do much of the work. The information can come back in XML or JSON format, following five standards:
-
CVE, Common Vulnerabilities and Exposures.
-
CVSS, Common Vulnerability Scoring System.
-
CVRF, Common Vulnerability Reporting Framework.
-
OVAL, Open Vulnerability and Assessment Language (only for Cisco IOS advisories).
-
CWE, Common Weakness Enumeration.
Creating OpenVuln applications
The API is available to registered applications. The registrant needs to have a CCO (Cisco Connection Online) ID in order to get a unique client identifier for the application. When it runs, the application needs to get an authorization token using OAuth 2 before making queries. The token is valid for one hour.
Cisco's API Console lets anyone with a CCO ID register applications and experiment with the API.
REST is language-neutral, so applications can be written in any programming language. Cisco provides a GitHub repository with sample code in PHP, Python, Ruby, and curl scripting. Developers can use the Swagger editor to design their API calls, using a YAML file from the repository.
Cisco’s openVulnQuery command line application, written in Python, is included in the repository. It allows searches by ID, severity, product, year, and most recent date. As an open-source application, it can serve as starting point for creating applications in Python or other languages.
So far there is little open-source code available, other than what Cisco provides, for calling OpenVuln. The lack of a Java package is especially conspicuous, and the Ruby and PHP examples are just demonstrations of the concepts. Creating new applications or code libraries could win a developer recognition in the world of security software.
Obtaining information from OpenVuln
CVRF information identifies one or more products affected, including specific versions, in human-readable form as well as by a product ID. A CVRF record typically goes through multiple revisions from the initial report to the resolution. A client application can look for reports naming specific products and send alerts to the appropriate people. Using the CVSS information, the alert can suit the security of the problem, adding more forms of notification for the most serious issues. The application can ignore reports that don't affect products which the organization uses, and it can poll reports on important vulnerabilities to get prompt status updates.
CVSS doesn't give just a single score, but several metrics. It includes a base metric group, which covers fixed characteristics of a vulnerability, and a temporal group, which measures its current status. The base group includes “exploitability,” the ease with which someone could take advantage of a weakness, and “impact,” the amount of damage exploiting the vulnerability could do. The temporal group includes “maturity,” which measures the presence of attack methods, “remediation,” which indicates available countermeasures, and “report confidence,” which says how well-validated the report is.
Creating an OpenVuln application for internal use is a fairly simple task, depending on how many features it includes. The API shows the ease with which custom code can keep an organization better informed of new and changing security risks. Better information allows better security.