We are excited to announce the release of our new module: Vulnerability Management. This module provides comprehensive visibility across connected applications with severity associated with these vulnerabilities so you can prioritize remediation within the desired SLAs defined for your organization.

What are vulnerabilities?

In the context of Scrut, a vulnerability refers to a specific finding from a native cloud service provider like AWS Inspector or static code analyzer like Snyk SCA or SAST, along with the CVE IDs defined to them by the National Vulnerability Database (NVD), if assigned already. Vulnerabilities are the first step in detecting threats to your organization's assets and, hence, must be remediated with the appropriate priorities within your organization.

Supported Applications

Currently, Vulnerabilities support the following applications:

• AWS Inspector

• Snyk SCA and SAST

• Github dependabot

How Vulnerabilities Work

Once you integrate Scrut with supported applications like Snyk with the API key and organization ID, Scrut will automatically scan for vulnerabilities detected by the automatic scanning schedule that runs periodically to pull vulnerabilities into the platform. Scrut runs a daily scan of your resources based on a set of predefined rules and criteria, which are established to align with industry standards, regulatory requirements, and best practices.

Vulnerabilities View

Once configured, the vulnerabilities will be visible on the vulnerabilities page, and the CVE ID will be attached to most of the entries.

If a CVE is attached, you can group these vulnerabilities by their status, viz. Open, Closed, Ignored, or Risk.

Additionally, you can also sort by descending view of assets

Similar to the CVE view, group the asset and show the number of vulnerabilities that are affecting that asset. There will never be a case of asset name missing though, because that’s how the scan data comes in.

Vulnerabilities by status

Vulnerabilities can also be grouped by the following statuses in Scrut

• Open: By default, all vulnerabilities, when scanned, show “open.” Also marked as open if a vulnerability previously marked as “closed” appears again.

• Fixed/Closed: If the vulnerability is fixed, users can close it manually. If a vulnerability is no longer present (does not show up in the next scan), it is also marked as closed.

• Ignored: If a vulnerability is marked as ignored, it is not shown in the main vulnerability view by default.

• Risk: Once they have been added to the risk register

Assigning SLAs to vulnerabilities

Additionally, you can assign SLAs to your vulnerabilities that are tailored to your organization.

Under Edit SLA

SLAs (Service Level Agreements) are assigned for each Severity Level. For example:

Critical: 7 days

High: 30 days

Medium: 60 days

Low: 90 days

Info: 120 days

Scrut provides a default value, or the organization can choose to have its own SLAs. The 'Edit SLA' button opens up a side window on the right side (as shown on the Figma screen) where edits can be made.

Incident Tracking (JIRA)

The Vulnerability module now offers two-way JIRA integration, enabling you to open a JIRA ticket for each identified vulnerability. You can assign these tickets to the appropriate JIRA tracker, ensuring seamless tracking and resolution.

The following screens will allow you to create a JIRA ticket.

Limitations and Known Issues

• Vulnerabilities currently support the above-mentioned sources, with a few others in the roadmap. As we continue to expand its scope, if you have a particular vulnerability scanner that needs to be integrated with Scrut, please contact us.

• Status, severity, and CVE IDs are displayed as shown in the source; closing the status in Scrut and not remediating in the source scanner can lead to reverting the status to open in Scrut.

• Treatment plan from the data source would be displayed under the finding, and available only if prescribed by the source.

• Conflicting severities across multiple sources would result in defaulting to the higher severity for the same vulnerability finding.

If you have any questions or issues, please reach out to your assigned Customer Success Manager. They'll be happy to assist you!

To view all the product updates, please click here.