How to include a custom RSS feed with CVE severity information into BigFix' patch management?

Andreas 2023-10-09 11:58:03 UTC #1

There’s a site called “S-CERT” which provides evaluated security reports especially for the “Sparkasse” (a German bank). Those reports can be retrieved as email or RSS feed, and contains the following information (excerpt):

CVE number
Security rating (like probability of attack, potential damage when exploited etc.)
Description
link to patches (if available)

Is it possible to include this RSS feed into BigFix and somehow automatically link those reports with the existing patch information BigFix already gathered from i.e. RedHat, so the client can use the BigFix features like “Take Action” on high severity issues to patch relevant systems based on the RSS feed?

And if so, how easy/complicated would it be to include the RSS feed?

Any help would be appreciated, thanks a lot in advance!

Btw: the S-CERT support never heard of BigFix, so they weren’t that much of a help

JasonWalker 2023-10-09 12:36:12 UTC #2

It would be entirely possible to do something like this, but I’m not sure there would be enough demand for it for us to include that in the product. You might get in touch with @aram to talk about adding features on the roadmap, or if you like I can help you get in touch with our Professional Services organization to build a custom solution for you.

There are a few approaches one could take on this. A fully-automated solution is actually the simplest - a script could easily retrieve the RSS feed, and then leverage our REST API to correlate the CVEs to Fixlets, and either create Baselines or send Actions based on those Fixlets. Scheduling actions, automatic reboots, targeting computer groups, etc. would be very much customer-specific though, making it a bit complex to generalize to something that works for everyone.

If you want to add user interactivity, the same could certainly be done in a Console Dashboard - either reading the RSS feed directly, or having a script that retrieves the RSS on a schedule and writes the resulting CVE list to a data file on your server as a Site File, and then the Dashboard could use that in selecting Fixlets for Baseline/Action/Reporting.

For WebUI integration, we did very recently publish a WebUI SDK that could help with writing a custom WebUI application to do the same.

Aram 2023-10-09 13:31:21 UTC #3

This use case aligns quite well with BigFix CyberFOCUS!

A couple of follow-up questions please:

Are the security reports public? And if so, can you share a link and/or more details? (we will do our own research here as well, but any details you can share would help)
Would you be interested in a follow-up conversation with Product Management to help us better understand the need here, and potentially collaborate on approaches/solutions?

(CC: @HCLJordan)

orbiton 2023-10-09 15:34:45 UTC #4

@JasonWalker about “For WebUI integration, we did very recently publish a WebUI SDK that could help with writing a custom WebUI application to do the same.” I remember that it was released internally and not for the public. could you please provide information about it.

JasonWalker 2023-10-09 16:57:55 UTC #5

Oops sorry, I thought we had made that public since I glossed over the release announcement at BigFix WebUI new release available! (December 2022)

(Not sure why we’d announce it that way, but yeah I think it’s still internal. Sorry for the confusion)