I've been looking into this for a little while, but havn't really found anything suitable.
What I am looking for is a system to track security vulnerability remdiation status. Something like "bugzilla for IT"
What I am looking for is something pretty simple that allows the following:
- batch entry of new vulnerabilities that need to be remediated
- Per user assignment
- AD/LDAP Authentiation
- Simple interface to track progress - research, change control status, remediated, etc.
- Historical search ability
- Ability to divide by division
- Ability to store proof of resolution for the Security Team to access
- Dependency tracking
- Linux based is best (that's my group :) )
- Free is good, but cost doesn't matter so much if the system is worth it
The systems doesn't have to have all of these features, but if it did that would be great.
yes we could use our helpdesk software, but that has a bunch of pitfalls such as triggering SLA alerts and penalties as well as not easily searchable outside of a group.
Most of what I have found are bug tracking systems that are geared towards developers, and are honstely way overkill for what I am looking for.
Server Faults input is greatly appreciated as always!
Ok, as far as I know, there is no product that will do this; would have to roll your own.
As far as starting points, I would start with Metasploit and nmap to gather your vulns, drop them into a db (mysql, postgres, etc.), and use that input as creation items for a bug-tracker (Trac, Redmine, etc) and use that as your ticketing engine.
As far as getting your AD/LDAP authentication records, you could probably do that input with syslog collection; I'm not sure if you could collect directly from there into your db.
I won't go as far as to say that 'if you productized this, you'd get rich', but with the right SEO, you could certainly get a lot of pageviews and/or consulting offers.
In any case, I hope it's worth it to you, because it's going to be a lot of work! ;-)
UPDATE: Have you looked into Metasploit?
I realize this question is very old and you likely have found a solution that works for you, but if not - have you looked into the Dradis Framework? It ticks most of your boxes. Full disclosure, I work for the team that makes Dradis.
After you gather the output of your favorite tools from your assessment - Nmap, Burp, Nessus, etc. then use Dradis to compile them to a single project.
Use the rules engine to deduplicate findings, update the vendor's description to your own from the issue library.
Assign issues to users to remediate and customize the interface for the status categories that make sense for you.
If you are interested in taking a look - here are how the different plans and community edition compare: https://dradisframework.com/pro/editions.html