Exploit details in the risk calculator

Bla_ena
Tera Contributor

Hi,

1) Does integrating Shodan with ServiceNow VR have any added value if we're integrating Qualys which already provides the exploit information(Exploit exists, Skill level and Attack vector)?

2) The Default risk calculator in ServiceNow is using the Vul Severity(in our case the Qualys severity) and the exploit details to calculate the risk score. Again, does it have any added value to give the exploit details any weight if Qualys already incorporated those details in its severity? (one advantage would be an option to increase the weight of a specific exploit detail even more than the Qualys did. But apart from that?)

 

Thank you.

1 ACCEPTED SOLUTION

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Bla,

(1)Yes. As a matter of fact, you can implement Shodan in Qualys to enhance your results:

https://qualysguard.qg2.apps.qualys.com/am/csamHelp/inventory/sensors/shodan.htm#:~:text=If%20you're....

Shodan brings additional intelligence to bear.

Please note that Shodan is NOT free:

https://account.shodan.io/billing

The "free" version is limited and not useful for production applications.

 

(2) You are correct; you can choose to increase/decrease the Risk over what Qualys thinks it is. But that seems superfluous. It is better to use the Calculator to add variables that Qualys does not already know about to adjust the Risk. (i.e. CI attributes or 3rd party tools like Shodan)

 

View solution in original post

1 REPLY 1

Chris McDevitt
ServiceNow Employee
ServiceNow Employee

Bla,

(1)Yes. As a matter of fact, you can implement Shodan in Qualys to enhance your results:

https://qualysguard.qg2.apps.qualys.com/am/csamHelp/inventory/sensors/shodan.htm#:~:text=If%20you're....

Shodan brings additional intelligence to bear.

Please note that Shodan is NOT free:

https://account.shodan.io/billing

The "free" version is limited and not useful for production applications.

 

(2) You are correct; you can choose to increase/decrease the Risk over what Qualys thinks it is. But that seems superfluous. It is better to use the Calculator to add variables that Qualys does not already know about to adjust the Risk. (i.e. CI attributes or 3rd party tools like Shodan)