vulnerability-assessor

This skill provides deep analysis of security vulnerabilities, evaluating exploitability, assessing business impact, calculating risk scores, and providing detailed remediation strategies.

• After security scanning identifies vulnerabilities
• Need to prioritize security findings
• Assessing exploitability of vulnerabilities
• Calculating CVSS scores
• Creating remediation roadmaps
• Risk assessment for security issues

1. Vulnerability Classification

Categorize by Type:

Injection Vulnerabilities:

• SQL Injection (SQLi)
• Command Injection
• Code Injection
• LDAP Injection
• XPath Injection
• NoSQL Injection
• OS Command Injection

Broken Authentication:

• Weak password policies
• Session fixation
• Credential stuffing vulnerabilities
• Insecure authentication tokens
• Missing MFA

Sensitive Data Exposure:

• Unencrypted data in transit
• Unencrypted data at rest
• Exposed credentials
• PII leakage
• API keys in code

XML External Entities (XXE):

• XML parsing vulnerabilities
• External entity injection
• DTD injection

Broken Access Control:

• Insecure direct object references (IDOR)
• Missing authorization checks
• Privilege escalation
• CORS misconfiguration

Security Misconfiguration:

• Default credentials
• Unnecessary features enabled
• Error messages leaking information
• Missing security headers

Cross-Site Scripting (XSS):

• Reflected XSS
• Stored XSS
• DOM-based XSS

Insecure Deserialization:

• Pickle in Python
• Unsafe YAML loading
• JSON deserialization issues

Using Components with Known Vulnerabilities:

• Outdated dependencies
• Unpatched libraries
• Known CVEs

Insufficient Logging & Monitoring:

• Missing security event logging
• No alerting on suspicious activity
• Inadequate audit trails

Deliverable: Categorized vulnerability list

---

2. Exploitability Assessment

Evaluate Ease of Exploitation:

Easy (High Exploitability):

• Publicly available exploits
• No authentication required
• Automated tools can exploit
• Simple proof of concept
• Wide attack surface

Medium Exploitability:

• Requires some technical knowledge
• Authentication needed but weak
• Manual exploitation required
• Specific conditions must be met
• Limited attack surface

Hard (Low Exploitability):

• Deep technical expertise required
• Strong authentication needed
• Complex exploitation chain
• Rare conditions required
• Very limited attack surface

Assessment Criteria:

• Attack vector (Network, Adjacent, Local, Physical)
• Attack complexity (Low, High)
• Privileges required (None, Low, High)
• User interaction (None, Required)
• Available exploit code
• Known exploitation in the wild

Deliverable: Exploitability rating for each vulnerability

---

3. Impact Analysis

Assess Business Impact:

Confidentiality Impact:

• None: No information disclosure
• Low: Minimal sensitive data exposed
• High: Significant sensitive data exposed (PII, credentials, business secrets)

Integrity Impact:

• None: No data modification
• Low: Limited data modification
• High: Significant data can be modified/deleted

Availability Impact:

• None: No service disruption
• Low: Minimal performance degradation
• High: Service can be completely disrupted (DoS)

Business Impact Examples:

Critical Business Impact:

• Customer data breach
• Financial fraud
• Regulatory compliance violation
• Brand reputation damage
• Complete service outage

High Business Impact:

• Internal data exposure
• Service degradation
• Limited compliance issues
• Moderate reputation risk

Medium Business Impact:

• Information disclosure (non-sensitive)
• Temporary service issues
• Minor compliance concerns

Low Business Impact:

• Minimal data exposure
• No service impact
• Best practice violations

Deliverable: Impact assessment for each vulnerability

---

4. CVSS Scoring

Calculate CVSS v3.1 Score:

Base Metrics:

1. Attack Vector (AV):

- Network (N): 0.85

- Adjacent (A): 0.62

- Local (L): 0.55

- Physical (P): 0.2

1. Attack Complexity (AC):

- Low (L): 0.77

- High (H): 0.44

1. Privileges Required (PR):

- None (N): 0.85

- Low (L): 0.62 (0.68 if scope changed)

- High (H): 0.27 (0.50 if scope changed)

1. User Interaction (UI):

- None (N): 0.85

- Required (R): 0.62

1. Scope (S):

- Unchanged (U)

- Changed (C)

1. Confidentiality Impact (C):

- None (N): 0.0

- Low (L): 0.22

- High (H): 0.56

1. Integrity Impact (I):

- None (N): 0.0

- Low (L): 0.22

- High (H): 0.56

1. Availability Impact (A):

- None (N): 0.0

- Low (L): 0.22

- High (H): 0.56

CVSS Score Ranges:

• 0.0: None
• 0.1-3.9: Low
• 4.0-6.9: Medium
• 7.0-8.9: High
• 9.0-10.0: Critical

Example CVSS Vector:

```

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Score: 9.8 (Critical)

```

Use CVSS Calculator:

```bash

# If available, use online calculator:

# https://www.first.org/cvss/calculator/3.1

```

Deliverable: CVSS score and vector for each vulnerability

---

5. Risk Prioritization

Risk Matrix:

| Severity | Exploitability | Priority | SLA |

|----------|---------------|----------|-----|

| Critical | Easy | P0 | 24 hours |

| Critical | Medium | P0 | 24 hours |

| Critical | Hard | P1 | 7 days |

| High | Easy | P0 | 24 hours |

| High | Medium | P1 | 7 days |

| High | Hard | P2 | 30 days |

| Medium | Easy | P2 | 30 days |

| Medium | Medium | P2 | 30 days |

| Medium | Hard | P3 | 90 days |

| Low | Any | P3 | 90 days |

Priority Definitions:

• P0: Emergency - Fix immediately
• P1: Urgent - Fix this week
• P2: Important - Fix this month
• P3: Normal - Schedule for next release

Additional Risk Factors:

• Publicly disclosed vulnerability
• Active exploitation in the wild
• Compliance requirements (PCI-DSS, HIPAA, GDPR)
• Customer-facing systems
• Access to sensitive data

Deliverable: Prioritized vulnerability list with SLAs

---

6. Proof of Concept (Safe)

Demonstrate Impact (Safely):

SQL Injection Example:

```

Input: ' OR '1'='1

Expected: Authentication bypass or data exposure

Actual: [observed behavior]

```

XSS Example:

```

Input:

Expected: Script execution

Actual: [observed behavior]

```

Path Traversal Example:

```

Input: ../../etc/passwd

Expected: Access to restricted files

Actual: [observed behavior]

```

IMPORTANT:

• Only demonstrate in test/dev environments
• Never exploit production systems
• Use safe payloads (alert, not actual malicious code)
• Document all testing activity
• Get authorization before testing

Deliverable: Safe proof of concept for high-priority vulnerabilities

---

7. Remediation Strategies

Provide Fix Recommendations:

SQL Injection:

```python

# VULNERABLE

cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")

# SECURE

cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))

```

Command Injection:

```python

# VULNERABLE

os.system(f"ping {user_input}")

# SECURE

import subprocess

subprocess.run(["ping", "-c", "1", user_input], check=True)

```

XSS:

```javascript

// VULNERABLE

element.innerHTML = userInput;

// SECURE

element.textContent = userInput;

// Or use DOMPurify for HTML

element.innerHTML = DOMPurify.sanitize(userInput);

```

Weak Cryptography:

```python

# VULNERABLE

import hashlib

hash = hashlib.md5(password.encode()).hexdigest()

# SECURE

from passlib.hash import argon2

hash = argon2.hash(password)

```

Insecure Deserialization:

```python

# VULNERABLE

import pickle

data = pickle.loads(user_data)

# SECURE

import json

data = json.loads(user_data)

```

Path Traversal:

```python

# VULNERABLE

with open(f"/uploads/{filename}", 'r') as f:

content = f.read()

# SECURE

import os

safe_path = os.path.join("/uploads", os.path.basename(filename))

if not safe_path.startswith("/uploads/"):

raise ValueError("Invalid path")

with open(safe_path, 'r') as f:

content = f.read()

```

Remediation Strategy Components:

1. Immediate Fix: Quick patch to mitigate
2. Proper Fix: Correct implementation
3. Verification: How to test the fix
4. Prevention: How to avoid in future
5. Detection: How to catch similar issues

Deliverable: Detailed remediation guide for each vulnerability

---

8. Dependency Vulnerability Assessment

Assess Third-Party Dependencies:

Evaluate CVEs:

```bash

# Get CVE details

curl https://nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2024-XXXXX

# Check fix availability

pip show

pip index versions

```

Assessment Checklist:

• [ ] CVE severity (CVSS score)
• [ ] Affected versions
• [ ] Fixed versions available
• [ ] Upgrade path complexity
• [ ] Breaking changes in fix
• [ ] Workarounds available
• [ ] Exploitation likelihood

Remediation Options:

1. Upgrade: Best option if available
2. Patch: Apply security patch
3. Workaround: Mitigate without upgrade
4. Replace: Use alternative package
5. Accept Risk: Document and monitor (rare)

Example Assessment:

```markdown

CVE-2024-12345 - requests package

Severity: High (CVSS 7.5)

Affected: requests < 2.31.0

Current Version: 2.28.0

Fixed In: 2.31.0

Vulnerability: SSRF via redirect handling

Exploitability: Medium

• Requires attacker to control redirect URLs
• Application must follow redirects

Impact: High

• Can access internal network resources
• Potential data exfiltration

Recommendation: Upgrade to 2.31.0+

Breaking Changes: None

Upgrade Risk: Low

Action: Upgrade immediately (P1)

```

Deliverable: Dependency vulnerability assessment with upgrade plan

---

```markdown

# Vulnerability Assessment Report

Date: [YYYY-MM-DD]

Assessed By: Vulnerability Assessor

Scope: [Application/Component]

Total Vulnerabilities: [count]

• Critical: [count] (P0: [count], P1: [count])
• High: [count] (P0: [count], P1: [count], P2: [count])
• Medium: [count]
• Low: [count]

Immediate Actions Required: [count]

[Vulnerability ID] - [Title]

Category: [OWASP Category]

Severity: [Critical/High/Medium/Low]

CVSS Score: [score] ([vector])

Priority: [P0/P1/P2/P3]

SLA: [timeframe]

Location: [file:line]

Description:

[What is the vulnerability]

Exploitability: [Easy/Medium/Hard]

[Rationale for exploitability rating]

Impact:

• Confidentiality: [None/Low/High]
• Integrity: [None/Low/High]
• Availability: [None/Low/High]
• Business Impact: [description]

Proof of Concept:

```

[Safe PoC]

```

Remediation:

Immediate Mitigation:

[Quick fix to reduce risk]

Proper Fix:

```python

[Code example]

```

Verification:

[How to test fix works]

Prevention:

[How to avoid in future]

References:

• [CWE-XXX]: [link]
• [CVE-YYYY-XXXXX]: [link]
• [Documentation]: [link]

---

P0 - Immediate Action (24h)

1. [Vulnerability 1] - Critical SQL Injection
2. [Vulnerability 2] - Critical Authentication Bypass

P1 - This Week (7d)

1. [Vulnerability 3] - High XSS
2. [Vulnerability 4] - High IDOR

P2 - This Month (30d)

[List]

P3 - Next Release (90d)

[List]

Week 1:

• Fix P0 items 1-2
• Begin P1 items

Week 2:

• Complete P1 items
• Begin P2 items

Month 2-3:

• Address P2 and P3 items
• Implement preventive measures

• Total Risk Reduction: [estimated %]
• Estimated Effort: [hours/days]
• Dependencies: [blocking items]

[Overall assessment and next steps]

```

---

Assessment:

• Use consistent scoring methodology
• Document all assumptions
• Consider environmental factors
• Account for compensating controls
• Review with security team

Prioritization:

• Business context matters
• Exploit availability increases priority
• Compliance requirements elevate risk
• Customer data > internal data
• Authentication/authorization issues are critical

Remediation:

• Fix root cause, not symptoms
• Defense in depth - multiple controls
• Test fixes thoroughly
• Document changes
• Share lessons learned

Communication:

• Be clear and concise
• Avoid fear-mongering
• Provide actionable guidance
• Educate developers
• Track progress

---

Input: Security scan results

Process: Detailed vulnerability analysis and risk assessment

Output: Prioritized remediation roadmap

Next Step: OWASP compliance checking or implementation

---

• Context is key: Same vulnerability has different risk in different contexts
• Exploitability matters: Critical vulnerability that's hard to exploit may be lower priority than high vulnerability that's easy to exploit
• Business impact drives priority: Focus on what matters to the business
• Provide solutions: Don't just identify problems
• Track to closure: Ensure fixes are implemented and verified
• Learn from findings: Use vulnerabilities to improve secure coding practices

Your goal is to provide actionable security intelligence that enables effective risk-based remediation.