# WIA-SEC-018: Vulnerability Assessment ## Appendix **Standard ID:** WIA-SEC-018 **Category:** Security (SEC) **Version:** 1.0.0 **Last Updated:** 2025-12-25 --- ## Appendix A: CVSS v3.1 Vector String Examples ### A.1 Critical Severity Examples #### Remote Code Execution (RCE) ``` CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Base Score: 10.0 (CRITICAL) Description: Network-exploitable RCE with no authentication required - Attack Vector: Network (AV:N) - Attack Complexity: Low (AC:L) - Privileges Required: None (PR:N) - User Interaction: None (UI:N) - Scope: Changed (S:C) - Confidentiality Impact: High (C:H) - Integrity Impact: High (I:H) - Availability Impact: High (A:H) ``` #### SQL Injection with Full Database Access ``` CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 9.8 (CRITICAL) Description: Network-exploitable SQL injection allowing full database compromise ``` ### A.2 High Severity Examples #### Cross-Site Scripting (XSS) - Stored ``` CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score: 5.4 (MEDIUM) to 7.1 (HIGH) Description: Stored XSS requiring low privileges and user interaction ``` #### Server-Side Request Forgery (SSRF) ``` CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Base Score: 7.7 (HIGH) Description: SSRF allowing access to internal resources ``` ### A.3 Medium Severity Examples #### Information Disclosure ``` CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score: 5.3 (MEDIUM) Description: Exposure of sensitive information without authentication ``` #### Cross-Site Request Forgery (CSRF) ``` CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3 (MEDIUM) Description: CSRF allowing limited unauthorized actions ``` --- ## Appendix B: Common Vulnerability Types and CWE Mapping | Vulnerability Type | CWE ID | OWASP Top 10 | Typical CVSS Range | |-------------------|--------|--------------|-------------------| | SQL Injection | CWE-89 | A03:2021 | 7.5 - 10.0 | | Cross-Site Scripting (XSS) | CWE-79 | A03:2021 | 4.3 - 7.1 | | Remote Code Execution | CWE-94 | A03:2021 | 9.0 - 10.0 | | Path Traversal | CWE-22 | A01:2021 | 6.5 - 8.1 | | Command Injection | CWE-77 | A03:2021 | 8.0 - 10.0 | | Authentication Bypass | CWE-287 | A07:2021 | 7.5 - 9.8 | | Broken Access Control | CWE-284 | A01:2021 | 5.0 - 8.8 | | Insecure Deserialization | CWE-502 | A08:2021 | 8.0 - 10.0 | | XML External Entity (XXE) | CWE-611 | A05:2021 | 7.5 - 9.0 | | Server-Side Request Forgery | CWE-918 | A10:2021 | 6.5 - 8.5 | | Cryptographic Failure | CWE-327 | A02:2021 | 5.0 - 7.5 | | Security Misconfiguration | CWE-16 | A05:2021 | 4.0 - 8.0 | | Sensitive Data Exposure | CWE-200 | A02:2021 | 5.0 - 7.5 | | Insufficient Logging | CWE-778 | A09:2021 | 3.0 - 5.0 | | Cross-Site Request Forgery | CWE-352 | - | 4.0 - 6.5 | --- ## Appendix C: Vulnerability Scanning Tools Matrix ### C.1 Static Application Security Testing (SAST) Tools | Tool | Languages | License | Integration | Strengths | |------|-----------|---------|-------------|-----------| | SonarQube | 25+ | Open Source / Commercial | CI/CD, IDE | Code quality + security | | Semgrep | 20+ | Open Source | CLI, CI/CD | Fast, customizable rules | | Checkmarx | 25+ | Commercial | Enterprise CI/CD | Enterprise features | | Fortify | 25+ | Commercial | Enterprise | Comprehensive analysis | | CodeQL | 10+ | Free for OSS | GitHub Actions | Deep semantic analysis | | Bandit | Python | Open Source | CI/CD | Python-specific | | ESLint Security | JavaScript | Open Source | npm, CI/CD | JavaScript ecosystem | | Brakeman | Ruby/Rails | Open Source | CI/CD | Rails-specific | ### C.2 Dynamic Application Security Testing (DAST) Tools | Tool | Type | License | Capabilities | Best For | |------|------|---------|--------------|----------| | OWASP ZAP | Proxy Scanner | Open Source | Full DAST, API testing | Web applications | | Burp Suite | Proxy Scanner | Free / Pro | Manual + automated | Security testing | | Acunetix | Web Scanner | Commercial | Automated scanning | Enterprise web apps | | Netsparker | Web Scanner | Commercial | Auto-verification | Reducing false positives | | AppScan | Enterprise | Commercial | Enterprise features | Large organizations | | Nikto | Web Scanner | Open Source | Quick scanning | Basic web server checks | ### C.3 Software Composition Analysis (SCA) Tools | Tool | Package Managers | License | Features | Integration | |------|-----------------|---------|----------|-------------| | Snyk | npm, pip, Maven, etc. | Free / Pro | Vuln + license | CI/CD, IDE | | Dependabot | GitHub ecosystem | Free | Auto PRs | GitHub | | OWASP Dependency-Check | Maven, npm, etc. | Open Source | CVE checking | CLI, CI/CD | | WhiteSource | 200+ | Commercial | Policy enforcement | Enterprise CI/CD | | Black Duck | 20+ | Commercial | Comprehensive | Enterprise | | Trivy | Container, OS | Open Source | Fast scanning | Containers | ### C.4 Container Security Tools | Tool | Focus | License | Capabilities | |------|-------|---------|--------------| | Trivy | Containers, IaC | Open Source | Comprehensive scanning | | Clair | Container images | Open Source | Static analysis | | Anchore | Containers | Open Source / Commercial | Policy enforcement | | Aqua Security | Containers, K8s | Commercial | Runtime protection | | Snyk Container | Container images | Free / Pro | Vuln scanning | | Docker Scan | Docker images | Free | CLI scanning | --- ## Appendix D: Remediation Playbooks ### D.1 SQL Injection Remediation ```markdown # SQL Injection Remediation Playbook ## Immediate Actions (0-24 hours) 1. **Assess Impact** - Identify affected endpoints - Check database access logs for exploitation - Determine data exposure risk 2. **Implement Emergency Controls** - Deploy WAF rules to block SQL injection patterns - Implement input validation at application gateway - Enable database query logging 3. **Temporary Mitigation** ```python # Example: Add input sanitization import re def sanitize_input(user_input): # Remove SQL keywords sql_keywords = ['SELECT', 'INSERT', 'UPDATE', 'DELETE', 'DROP', 'UNION'] pattern = '|'.join(sql_keywords) if re.search(pattern, user_input, re.IGNORECASE): raise ValueError("Invalid input detected") return user_input ``` ## Short-term Fix (24-72 hours) 1. **Implement Parameterized Queries** ```python # Before (Vulnerable) query = f"SELECT * FROM users WHERE username = '{username}'" # After (Secure) query = "SELECT * FROM users WHERE username = ?" cursor.execute(query, (username,)) ``` 2. **Use ORM Safely** ```python # Using SQLAlchemy from sqlalchemy import text # Secure parameterized query result = session.execute( text("SELECT * FROM users WHERE username = :username"), {"username": username} ) ``` 3. **Input Validation** - Implement whitelist validation - Enforce data type constraints - Limit input length ## Long-term Solution (1-2 weeks) 1. **Code Refactoring** - Replace all dynamic SQL with prepared statements - Implement ORM layer - Code review for similar vulnerabilities 2. **Security Controls** - Principle of least privilege for database accounts - Separate read and write database users - Implement database activity monitoring 3. **Testing** - Add automated SQL injection tests - Penetration testing - Security regression testing ## Verification - [ ] All dynamic SQL replaced with prepared statements - [ ] Input validation implemented - [ ] WAF rules deployed and tested - [ ] Database permissions restricted - [ ] Automated tests added - [ ] Penetration test passed - [ ] Security scan clean ``` ### D.2 Cross-Site Scripting (XSS) Remediation ```markdown # XSS Remediation Playbook ## Immediate Actions 1. **Deploy CSP Headers** ```javascript // Content-Security-Policy header Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' ``` 2. **Implement Output Encoding** ```javascript // Before (Vulnerable) element.innerHTML = userInput; // After (Secure) element.textContent = userInput; // Or use DOMPurify element.innerHTML = DOMPurify.sanitize(userInput); ``` ## Short-term Fix 1. **Context-Aware Encoding** ```python from html import escape from urllib.parse import quote # HTML context safe_html = escape(user_input) # JavaScript context safe_js = json.dumps(user_input) # URL context safe_url = quote(user_input) ``` 2. **Input Validation** - Validate against expected patterns - Reject HTML tags in inputs - Sanitize rich text inputs ## Long-term Solution 1. **Security Headers** ``` Content-Security-Policy: default-src 'self' X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Frame-Options: DENY ``` 2. **Framework Protection** - Use framework's built-in XSS protection - Enable auto-escaping in templates - Use trusted types API 3. **Testing** - Automated XSS scanning - Manual penetration testing - Browser security testing ``` ### D.3 Remote Code Execution (RCE) Remediation ```markdown # RCE Remediation Playbook ## CRITICAL - Immediate Actions (0-4 hours) 1. **Isolate Affected Systems** - Network segmentation - Disable affected services if possible - Enable enhanced logging 2. **Assess Compromise** - Check for webshells - Review system logs - Scan for malware - Check for persistence mechanisms 3. **Emergency Patching** - Apply vendor patch if available - Deploy virtual patch via WAF/IPS - Implement strict input validation ## Short-term Fix (4-24 hours) 1. **Code Fix** ```python # Before (Vulnerable) import subprocess subprocess.call(f"process_file {user_filename}", shell=True) # After (Secure) import subprocess import shlex # Use argument list, not shell cmd = ["process_file", user_filename] subprocess.call(cmd, shell=False) # Or validate input import re if not re.match(r'^[a-zA-Z0-9_.-]+$', user_filename): raise ValueError("Invalid filename") ``` 2. **Sandboxing** - Run vulnerable component in container - Implement strict resource limits - Disable unnecessary system calls ## Long-term Solution 1. **Architecture Review** - Eliminate unsafe code execution patterns - Implement principle of least privilege - Use safe alternatives to dangerous functions 2. **Defense in Depth** - Application sandboxing - System call filtering (seccomp) - SELinux/AppArmor policies - Runtime application self-protection (RASP) ``` --- ## Appendix E: Compliance Mapping ### E.1 ISO 27001:2013 Controls Mapping | Vulnerability Management Activity | ISO 27001 Control | Description | |----------------------------------|-------------------|-------------| | Vulnerability Scanning | A.12.6.1 | Technical vulnerability management | | Patch Management | A.12.6.1 | Restrictions on software installation | | Security Testing | A.14.2.8 | System security testing | | Change Management | A.12.1.2 | Change management | | Access Control | A.9.1.1 | Access control policy | | Incident Response | A.16.1.1 | Responsibilities and procedures | | Risk Assessment | A.12.6.1 | Technical vulnerability management | ### E.2 SOC 2 Criteria Mapping | SOC 2 Criteria | Vulnerability Management Control | |----------------|----------------------------------| | CC6.1 - Logical access | Vulnerability assessment of access controls | | CC6.6 - Transmission protection | Network vulnerability scanning | | CC7.1 - System monitoring | Continuous vulnerability monitoring | | CC7.2 - Change detection | Configuration change scanning | | CC8.1 - Risk assessment | Vulnerability risk assessment | | CC9.1 - Vendor management | Third-party vulnerability assessment | ### E.3 NIST Cybersecurity Framework Mapping | NIST CSF Function | Category | Vulnerability Management Activity | |-------------------|----------|-----------------------------------| | Identify | Asset Management | Asset inventory for scanning | | Identify | Risk Assessment | Vulnerability risk assessment | | Protect | Protective Technology | Patch management | | Detect | Security Monitoring | Vulnerability scanning | | Detect | Detection Processes | Threat intelligence integration | | Respond | Response Planning | Remediation workflows | | Recover | Recovery Planning | Verification and closure | --- ## Appendix F: Sample Reports ### F.1 Executive Summary Report Template ```markdown # Vulnerability Assessment Executive Summary Period: [Start Date] - [End Date] ## Overview - Total Vulnerabilities: [Number] - Critical: [Number] ([Percentage]%) - High: [Number] ([Percentage]%) - Medium: [Number] ([Percentage]%) - Low: [Number] ([Percentage]%) ## Risk Summary - Overall Risk Score: [Score]/100 - Trend: [Improving/Stable/Declining] - High-Risk Assets: [Number] ## Key Findings 1. [Finding 1] 2. [Finding 2] 3. [Finding 3] ## Remediation Status - Open Vulnerabilities: [Number] - In Remediation: [Number] - Fixed (Unverified): [Number] - Verified Fixed: [Number] - Mean Time to Remediate: [Days] ## Compliance Status - ISO 27001: [Compliant/Non-Compliant] - SOC 2: [Compliant/Non-Compliant] - SLA Compliance: [Percentage]% ## Recommendations 1. [Recommendation 1] 2. [Recommendation 2] 3. [Recommendation 3] ``` ### F.2 Technical Vulnerability Report Template ```markdown # Technical Vulnerability Report ## Vulnerability Details - **ID**: [VULN-ID] - **CVE**: [CVE-ID] - **CWE**: [CWE-ID] - **Title**: [Vulnerability Title] - **Severity**: [CRITICAL/HIGH/MEDIUM/LOW] - **CVSS Score**: [Score] - Vector: [Vector String] ## Description [Detailed description of the vulnerability] ## Affected Assets - Asset 1: [Name] (Version: [Version]) - Asset 2: [Name] (Version: [Version]) ## Technical Analysis ### Attack Vector [Description of how the vulnerability can be exploited] ### Proof of Concept ``` [PoC code or steps to reproduce] ``` ### Impact Assessment - Confidentiality: [HIGH/MEDIUM/LOW/NONE] - Integrity: [HIGH/MEDIUM/LOW/NONE] - Availability: [HIGH/MEDIUM/LOW/NONE] ## Remediation ### Recommended Fix [Detailed remediation steps] ### Workaround [Temporary mitigation if fix not immediately available] ### Verification Steps 1. [Step 1] 2. [Step 2] 3. [Step 3] ## References - [Reference 1] - [Reference 2] ## Timeline - Discovered: [Date] - Reported: [Date] - Fix Deadline: [Date] - Verified: [Date] ``` --- ## Appendix G: Integration Code Examples ### G.1 GitHub Actions Integration ```yaml name: Vulnerability Scanning on: push: branches: [main, develop] pull_request: branches: [main] schedule: - cron: '0 0 * * *' # Daily at midnight jobs: sast-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run Semgrep uses: returntocorp/semgrep-action@v1 with: config: >- p/security-audit p/owasp-top-ten - name: Upload SAST Results uses: github/codeql-action/upload-sarif@v2 with: sarif_file: semgrep.sarif sca-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Run Snyk uses: snyk/actions/node@master env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: args: --severity-threshold=high container-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Build Docker image run: docker build -t myapp:${{ github.sha }} . - name: Run Trivy uses: aquasecurity/trivy-action@master with: image-ref: myapp:${{ github.sha }} format: 'sarif' output: 'trivy-results.sarif' - name: Upload Trivy Results uses: github/codeql-action/upload-sarif@v2 with: sarif_file: trivy-results.sarif ``` ### G.2 GitLab CI Integration ```yaml stages: - security-scan - deploy sast: stage: security-scan image: returntocorp/semgrep script: - semgrep --config=auto --json > sast-report.json artifacts: reports: sast: sast-report.json dependency-scan: stage: security-scan image: snyk/snyk:node script: - snyk test --json > dependency-report.json artifacts: reports: dependency_scanning: dependency-report.json container-scan: stage: security-scan image: aquasec/trivy script: - trivy image --format json myapp:latest > container-report.json artifacts: reports: container_scanning: container-report.json ``` --- ## Appendix H: API Reference ### H.1 Complete API Endpoints ``` # Vulnerability Management GET /api/v1/vulnerabilities # List all vulnerabilities GET /api/v1/vulnerabilities/{id} # Get vulnerability details POST /api/v1/vulnerabilities # Create vulnerability PATCH /api/v1/vulnerabilities/{id} # Update vulnerability DELETE /api/v1/vulnerabilities/{id} # Delete vulnerability # Scanning POST /api/v1/scans # Start new scan GET /api/v1/scans/{id} # Get scan status GET /api/v1/scans/{id}/results # Get scan results DELETE /api/v1/scans/{id} # Cancel scan # Assets GET /api/v1/assets # List assets POST /api/v1/assets # Register asset GET /api/v1/assets/{id}/vulnerabilities # Get asset vulnerabilities # Reports GET /api/v1/reports/executive # Executive summary GET /api/v1/reports/technical # Technical report GET /api/v1/reports/compliance # Compliance report # CVE Database GET /api/v1/cve/{cveId} # Get CVE details GET /api/v1/cve/search # Search CVEs # Metrics GET /api/v1/metrics/dashboard # Dashboard data GET /api/v1/metrics/trends # Trend analysis ``` --- **Document Version:** 1.0.0 **Last Updated:** 2025-12-25 --- 弘益人間 (홍익인간) - Benefit All Humanity © 2025 SmileStory Inc. / WIA