Add Support for Rapid7 Nexpose/Metasploit (previously GC#178)

[brianmather]

Reported by hlee@indeed.com, Nov 13, 2012 Rapid7's Nexpose and Metasploit tools are widely used, and should be incorporated into ThreadFix.

[brianmather]

Comment by DCornell on Nov 13, 2012

Thanks for submitting. We've reached out to the Rapid7 folks to get access to the appropriate files/formats. We'll keep you posted.

[brianmather]

Comment by by hlee@indeed.com, Nov 13, 2012

Let me know if you have any help with this. I sit about 100 yards from Rapid7's Austin office.

[st1gma]

Is this still being worked on?

[dancornell]

It has been discussed but hasn't been a focus for our in-house engineering folks. Both Nexpose and Metasploit are primarily focused on network/infrastructure vulnerabilities with -some- capabilities for applications (specifically web applications) ThreadFix's asset and vulnerability management is primarily targeted toward applications (web, mobile, web services) and their vulnerabilities so the concern was the an integration with Metasploit and/or Nexpose wouldn't provide as much value as other tools that are application-centric (like Cenzic, Checkmarx, etc). I think we have the same problem with our Nessus importer - we can import Nessus results but we only pick up those plugins that relate to their web application vulnerability scanning so the integration ends up feeling kind of half-baked.

That said - if folks are really interested in this let us know and we can potentially re-prioritize. Also we have talked about adding the ability the manage network/infrastructure assets and vulnerabilities in ThreadFix. The challenge is that this is a non-trivial investment of time and resources so we're looking for folks who can help support and/or fund the development effort. In the meantime we're keeping this feature request open.

[etawiah]

I know this is old however since it's still open, I wanted to +1 for managing network/infra vulnerabilities in threadfix. I also use nexpose/metasploit as well as many other opensource tools.

[NoahJaehnert]

The following question was asked as part of the Threadfix 2.2 Preview webinar -- "What are ThreadFix’s capabilities for importing results from traditional vulnerability (network and infrastructure) scanners?"

The response was - "We currently allow imports from Nessus vulnerability scans. If the Nessus plugin has CWE data associated with the scan result, ThreadFix can import them. However, these results are associated with a ThreadFix “Application” rather than with an IP address, as Nessus and other network/infrastructure scanners would typically do. We have looked at adding support for more network/infrastructure scanners like Rapid7 and OpenVAS, but the way that ThreadFix currently manages assets – on an “Application” basis – is different than the way that most network and infrastructure scanners manage assets – on an IP-address or host basis. If we do so in the short term it will likely look like our Nessus support where scan results are associated with an “Application” rather than a specific IP/host. That model seems to work well for a number of ThreadFix users but may not work for everyone. "

Instead of only pulling out CWEs found in infrastructure scans, I think it would help tremendously to get a holistic picture of an application's vulnerabilities if Threadfix were also able to tie/map the infrastructure vulnerabilities that the supporting server(s) have to a specific application.

Specifically, I'm suggesting using something similar to the remote provider mapping feature, but instead allowing Threadfix users to pull in and map IP addresses (and therefore the infrastructure vulnerabilities) to the specific applications.

Just my two cents. Thanks for your time!