Blog
-

16 min read

Resilient Cyber podcast: Modernizing vulnerability management with open source

Community & Open Source
Resilient Cyber podcast: Modernizing vulnerability management with open source

Authors

Andy Cao
Andy Cao

Share

Transcript

Chris Hughes

We chatted a little bit, honestly, ahead of RSA several times now at RSA, randomly bumped into you, I think after you guys won, shortly after you won, think. I've been wanting to get you on here, wanting to chat for a while. I've been watching what you guys are doing. And as you know, vulnerability management is near and dear to my heart too. But for folks that don't know you, don't know the project discovery team, can you tell us a bit about your background and what the team's up to too?

Andy Cao

Yeah, we are an open source powered solution and we're solving vulnerability management. Most folks in security know vulnerability scanning is broken. We're using scanners built 20 years ago. The likes of Qualys and Tenable and they just, haven't evolved to detect today's threats. And, you know, they're still relying on primitive signatures, version-based detections. And meanwhile, you know, security teams are missing real threats. So.

We offer a modern open source powered solution that accurately detects exploitable vulnerabilities and automates the core parts of vulnerability management. And that all starts with nuclei, a scanner that we built that is one of the most popular open source tools in security today. And we can dive in a little bit more about what makes nuclei so special, but we have our open source tool nuclei, and then we have a cloud solution around it that makes it easy for enterprises to basically use nuclei for their vulnerability management program.

Chris Hughes

Yeah, we'll definitely dive into some specifics there in a moment, both on the vulnerability management side, as well as like the open source angle, which is, you know, makes you guys a little bit different too, I think than just, you know, many commercial, you know, companies. But, you know, as we said, we bump into each other, you guys are fresh off your win at the RSA Innovation Sandbox for folks that don't know. It's essentially an event at one of largest cybersecurity conferences, RSA Conference, where these innovative startups come up, they give a pitch. It's like a time box pitch. I can't remember if it's three minutes or five minutes, but it's, you know,

I imagine it's pretty high stress situation. You're coming in there, you're getting things polished up. You know, first off, tell us a little bit about the experience and then how it's been coming out of that, the response from the community has been.

Andy Cao

The experience has been incredible. I mean, I just think it's the biggest stage for security innovation. And the folks at RSA really deserve a ton of credit for putting on such a professional production. I mean, it is impressive from day one when we were selected as one of the top 10 finalists, the schedules, the check-ins, the rehearsals, and then the day of, you know, getting mic'd up and they have this whole like backstage area where they have all these professionals doing the sound and the lights. And you add on that the time and the schedule, there's really nothing else Monday morning. I mean, this is the event when you first thing you show up at RSA, you're going to the innovation sandbox and there are thousands of people in the audience, right? And so I first, just think that RSA team deserves a ton of credit for creating such a well produced event that people enjoy watching. It's three minutes of a presentation. It's three minutes of Q &A. So you're not getting bogged down in long 20 minute prezos. Like you really got to hit it and you got to hit it well. they just do such a good job. So we're thrilled to have just even been in the top 10. And I think the story, the problem we're solving, the open source traction, all of that just really resonated. I think it was kind of an inspiring story for people to get behind and obviously a very big problem that we're solving. But we're just, we're thrilled with kind of the response. We've had, we're on a call with a customer in Australia and they're like, yeah, we heard about the win. I mean, this is truly a global kind of awareness opportunity and yeah, we've just been super lucky.

Chris Hughes

Yeah, it's an amazing opportunity and amazing outlet, as you said. and historically, like, you know, people have done some analysis on companies that go on the innovation sandbox, both those that win as well as those that, are in the top 10, you know, select these and those companies tend to do great. And, you open your pitch with, you know, a broad state, a bold statement, I should say, similar to how you open up the conversation here that vulnerability scanning is broken.

Um, you know, before we dive into some of the specifics around vulnerability management, you know, exploitation, et cetera, like, why do you make that statement and what, the hell's so bad with it?

Andy Cao

Hey, yeah, I mean, well, first off, anyone who works in security knows this very, very well. But for those who don't, I mean, if you if you just take a look at the CVE database, I mean, just last year, there were tens of thousands of CVEs. There are today in the library, there's hundreds of thousands. And, you know, even just earlier this year, there's a whole kind of news around potentially us losing the database that supports our ability to track the CVEs. So

I mean, this is really complex jungle of tons of vulnerabilities. And as you know, you know, only a small percentage of all of these vulnerabilities are actually exploitable. And when you talk to a lot of these large enterprises, it's, it's not just, okay, we run a scanner, we get the results and we can take our time. I mean, these, these companies have customers that agree to SLAs around if you get a critical, if you get a high, here are the number of days that you have to remediate this. mean, security teams are put under a very high stress situation because of the commitments that their companies have made, but the underlying tools that they're using to detect the things that they have committed to solve are not giving them actionable results.

And so this is obviously such a big, big pain point, if you can imagine, especially for the larger companies that are not dealing with tens or hundreds of vulnerabilities, but we're talking thousands, not tens of thousands of results. And that's just a sheer magnitude that you cannot solve with a better prioritization engine or with just more people on the team. You got to start with good data of like, what is actually exploitable. So hopefully that's a good start and happy to dive in more with some examples, but. That's kind of how we see the world.

Chris Hughes

Yeah, it's a great way to frame it. As you said, you know, tens of thousands of CVS last year alone. There's obviously issues with the NVD and CV itself. Um, you know, there's, there's the reality that, know, less than 5 % of all CVS in a given year ever exploded. You know, the, base severity scores of CVSS is problematic. Like the list is long. can go, we can go on and on with some of the challenges. Um, and you know, you open, you also talked about, you know, how you guys, like a core part of what you do is nuclei, you know, widely use open source vulnerability scanning tool. Um, you know, and it's, it's used, think by hundreds of thousands of people, if I'm not mistaken, it's widely widely used. how does it intersection of, know, this open source, uh, know, kind of foundation that you guys have, you know, play into your commercialization, your business approach, because there's others who have done it, know, Semgrap, um, HashiCorp, for example, right. Um, but I know people always have unique perspectives on like, you know, how you commercialize open source or like some fears around licensing and like, you know, so how have you guys approached that while you can lean into the benefit of the community, but also appease, you know, some of those concerns.

Andy Cao

Yeah, well, first, we're really building separate products with different value props for different people. And so let's maybe start with nuclei, the open source scanner. Nuclei is a command line tool that has this global community behind it. And it's used by pretty much everyone today. It's not only just security teams, but pen testers, red teams, bug bounty hunters, researchers.

You know, the list goes on and I think one of the great things about nuclei is just how customizable it is. And it is very modular. It's very transparent with the template architecture. People can write their own templates. But this still is at the end of the day, an open source tool. And if you are the head of a vulnerability management program at a Fortune 500 company,

There's a lot you need to do to take an open source tool and actually rely on it as an enterprise grade solution for your vulnerability management program. And that's really where our commercial or SaaS platform comes in. Most of our company customers actually have started with open source and many of them have struggled to scale nuclei to the needs of their enterprise.

We have a great joint blog post with Elastic, one of our great customers who started with the open source and through nuclei into a dev box and actually try to scale it with a little bit of Kubernetes and kind of, you know, having a multiple workers spin up. But one still struggled with getting it to run at the speed they needed. And two, just took a lot of time. And by working with our cloud solution, they got up and running in minutes and they started scanning their entire infrastructure in, in, in five, 10 minutes, not the three to four days. And that really changes how you build your security program. You know, they told us how before if, when scans took three to four days, when you have an emerging threat that drops like Next.jS or one of these new zero days, and it takes you three to four days to get answer or visibility in that time, you have to go to incident response and you got to create an issue.

You've got to start a lot of other workflows. If you get results in minutes, you can immediately say, okay, am I exposed or am I not? And if I'm not, I don't have to trigger all of these other workflows and collaborate with these other teams. All of a sudden you get that instant visibility. And then on top of that, we add a ton of automations and an asset inventory. In today's day and age, it's not as simple as taking a tenable, dropping it into your internal network.

Running that scan and then boom, you've got results. You're good. You know, everyone's in the cloud. We've got internal attack surfaces, external attack surfaces. And you know, these traditional scanners just aren't picking stuff up because sometimes they're just not actually detecting the assets where these exploitable vulnerabilities actually exist. So we build cloud integration so you can connect your AWS or GCP. And we're pulling in all of the external facing hosts live every single day.

We're doing reconnaissance on in sub domain enumeration and, and port scanning and all of that on a daily basis as well. So you get that unified kind of asset inventory of what to scan. And then we automate a ton of stuff for you. So you get a result and you want to test it real quick. offer the instant retest capability. If you want to generate a JIRA ticket, we can help create that ticket for you.

And then if one of your engineers closes that issue out, we can help do an automatic retest to validate that it's been fixed and we'll do regression automation. So there's a lot of other stuff. And so you can really think of our cloud solution as being the enterprise ready turnkey vulnerability management product and nuclei is like that engine for the accurate detections.

Chris Hughes

Yeah, I like how you enumerated and using your own word enumerated, you know, kind of the benefits back to us here is as anyone who works in this space knows like scanning is part of it, but there's ticketing, there's reporting, there's finding what's actually exploited, know, asset inventory, like it's literally a CIS critical control and has been forever. Number one and two, hardware, software, asset inventory. can't scan, protect, remediate, et cetera, if you don't even know what you have. All these are problems. And then also, you know, open source is great for sure.

But now you need to manage it, maintain it, host it. Like as you said, if you can lean into an enterprise offering and have that done for you, and just focusing on your core competencies, as well as like going out and tackling things that matter, I mean, that's the value proposition in my mind. I've worked in a lot of different enterprises doing evolve management. On the flip side of that, you do have the powerful benefits of the open source community with nuclei. And you and I chatted a little bit about this in terms of roles and things like that, detections.

You talked about, an exploited zero day drops or whatever the case is, how quickly the community rallies to kind of put roles out there for people to lean into. Can you talk about that bit as well?

Andy Cao

Yeah, absolutely. And if you go back to the early days of security, it was a community effort. And I think we've in some ways moved away a little bit from that and gone to more commercial efforts. But I think the security industry is ready for another community approach to solving a very big problem. And there's so many benefits of having a global community behind this effort. And you mentioned one of them, which is the speed of the the detections. And we often see a contribution from our community within hours of a CVE or exploit becoming publicly available. But also the breadth of coverage in the RSA pitch, I talk about how a few months ago, a researcher exposed over a million lines of sensitive data from DeepSeek. But the researcher used nuclei to find a misconfigured database. And that's not a CVE. So while we have all these very big vulnerability management programs built around CVEs, the reality is there's a lot of misconfigurations and other security risks that these traditional scanners haven't evolved to also detect.

When you have a global community, they're contributing things like, hey, I've got an exposed panel for Grafana out there. I've got a default login for a database or I've got exposed secrets on a page. Again, these are all non-CVE issues, but they are real security risks. So that coverage is also so, so valuable to get from a global community. And then of course, it's the instant feedback, right? I mean, if you go to our Nuclea templates discussion page or our issues page, we have people saying, hey, here's something we can do to make this template better. I ran this and I think that we should add that and the Next.js vulnerability that we kind of talk about as an example, that one was a collaborative effort between our internal team and our community. And so it's just really beautiful to see kind of the community coming together and helping with this broad effort. And one of our customers actually said, it's reassuring for them working with a commercial solution that has this community because the way they put it was, when you work with project discovery, you work with some of the smartest hackers in the world. And I think that really sums it up well.

Chris Hughes

Yeah, it really lets you lean into the community. Like there's that saying, you know, uh, can't remember if it's Linus Torvald or whoever said it, but under enough eyeballs, all bugs are shallow. Well, it kind of speaks to this community effort. Like it's, it's impractical for one organization, like just say, you know, the company I work at or whatever, to have a detection for every single new vulnerability coming out quickly after it emerges or have a robust database of, you know, hundreds of thousands of templates and maintain that and scale it. But when we talk about an international community of researchers, practitioners, like that's a powerful force to be reckoned with.

And also you don't have to rely on the vendor, right? To do all that, because it could be challenging for a vendor to do that at scale all the time and then a nonstop capacity too. Uh, but one thing you and I talked about is, you know, of course in, in the space right now, there's a lot of excitement around AI, right? Both using, uh, AI for security and securing AI itself. And one thing I think you mentioned is that you guys have been kind of experimenting and testing and even using, uh, LLMs to help kind of generate detections and roles and things like that for nuclei. Can you talk a little bit about that too?

Andy Cao

Yeah, I mean, first of all, what an exciting time we live in with AI and just the potential there is and in the current benefits that we're all getting. So we're super pumped here. But we we take a lot of inspiration from the AI tools that have succeeded in dev and infra for engineers. And I think one thing that we feel very strongly about is security teams don't need another black box. And we do see a lot of AI tools out there that say

We'll automatically remediate this for you. We'll automatically do that for you. And when you want to double click, know, how, how did they get there or what, what's going on behind the scenes? And there's nothing kind of that you can really rely on. It can be very frustrating. And I think that's part of the reason why some of the traditional scanners have been so difficult because they are black boxes too. And so I think what we're trying to build is something that is empowering for security engineers.

And that's where the beauty of the nuclei templates come in. With LLMs, we're helping security teams generate custom nuclei templates for any of their risks. But the output is something that they can see, they can touch, and they can modify. The same way that when you use cursor and you tell it to build a website, you not only get a website, you get all the code behind it that you can then modify and obviously update. So that's the inspiration that we have is it's really around empowering security engineers.

And what do they need the most help with? Well, when you go to a tree, like a company's vulnerability management dashboard view, right? You have not just vulnerabilities from a scanner. It's all of their vulnerability issues, but it's still just a row on a spreadsheet. It's, it's, it's a line on, this dashboard. And what we're trying to do is we're trying to attach a nuclei template to every security issue because ultimately

All a template is, it's just automating the steps that a researcher or security engineer would be doing anyway to validate if a vulnerability is exploitable. So when what we're doing is we're helping security teams take all the contacts, it could be information from a pen test report, an internal red team finding or a bug bounty report. And we're turning that into a nuclei template for you. And once you have this nuclei template, all of a sudden you've unlocked a ton of potential for automation.

You can immediately run that template to see if that it currently that vulnerability is exploited. This would have taken a couple of minutes as a security engineer to find that page and to create the request and to then look at the response. Right today with the, the nuclear template, you can do that automatically. Well, what's next? Well, then when you want to do a, um, when you want to verify a fix, you can then run this nuclei template and then you can start running regression checks. So.

Hey, I wanna check that this issue that we fixed last month doesn't make it into production. So you can put it into your development pipelines. So it really unlocks a ton of automation that we think is gonna really be very, very valuable for security teams.

Chris Hughes

Yeah, I agree with you. think you know part of this role writing challenges again, especially if you don't have the community aspect that you can lean into has been just it takes time and like each role is unique but being able to you generate these roles and detections with LLMs can really accelerate that and I love the aspect of moving beyond just like a CVA identifier looking at pen test reports, bug boundaries, you know things like that that are unique to your environment, right? That have been found and then of course the regression testing piece because

Many of us know that you may fix something and then it kind of becomes a problem again. You never go back and look. You find out later, wait, it's back again. And hopefully you find it before someone else does and does something with it. But that's another key aspect as well. So you guys have a heck of a lot of momentum, right? You already had this big community usage coming into this, lot of great work being done. And now coming out of the past week, you have the RSA Innovation Sandbox win. What's next for you all, the team at Project Discovery? Where can people learn more? Where should they be keeping an eye out?

Andy Cao

Yeah, I mean, first of all, it's, it's what an exciting time we're in because vulnerability management is a problem that I think we've been having for years. And for better, for worse, you security leaders aren't waking up in 2025 saying, this is the year that we're going to solve vulnerability management. Cause a lot of people don't aren't aware that there is a better solution out there. And I think what's been really great about this RSA win is it's getting the awareness out there that yes.

you can move on from the scanners that have been built 20 plus years ago, these expensive, clunky and black box solutions. There's a modern alternative that exists. And everyone that we've spoken to where, often in our sales qualification pitches, we start off with, are you happy with your scanner? And the overall answer to that is no. So we're super pumped just to get the awareness out there. think everyone who hears our approach to the solution the problem we're solving, people get really excited and want to learn more. And the greatest thing is you can go on our website today, projectdiscovery.io and you can get started for free.

If you sign up with your business email, we'll give you a free monthly scan of all of the assets that fall under your Apex email domain. So if you sign up with bankofamerica.com, we'll give you a free monthly scan of everything under bankofamerica.com. And it's such a great way to just see the value without having to do a POC or put down a credit card. And then of course we have a sales team that's really pumped to talk to you. If you wanna learn more, we can schedule a demo, provide a POC. So you can go to our website, projectdiscovery.io to learn more, to get started. And we're super excited to meet you and help you solve some of your vulnerability management problems.

Chris Hughes

Awesome. Well, thank you so much for coming on. It's always great to chat with someone who's excited as much as I am about vulnerability management because many people dread this space because of the problems we talked about the legacy tools, legacy, legacy methodologies. So Andy, it's been a great conversation, man. I'm excited to see what you guys keep doing and I'll be keeping an eye on it. Thanks so much for coming on.

Andy Cao

Thanks for having me, Chris.