GhostManager
Idea: Add mitigation effort and mitigation priority
Would be cool to have two lists where the operator can select the effort and the priority to fix the vulnerability. A simple (Low, Medium, High) list for both
Would this be for some sort of vulnerability management internally or something you would put into a report for an external client/org?
There has been discussion in another feature request for adding custom fields to findings, which is something we have planned. That could work for recording something like this.
@chrismaddalena has there been any progress on this one? This could be quite useful indeed! If it's just adding 2 fields to the findings model, I could make a PR, but if you are planning to add dynamic fields for findings then I better hold off for now :smile:
@fastlorenzo I am working on dynamic fields for report sections and findings. That could be used to accomplish this. You could also use tags with Ghostwriter v3.2+.
From a reporting standpoint, I'm not a fan of reporting the effort required to fix something. You'll be correct many times, but some simple resolutions are actually tricky. Installing updates is a low effort, but not always, like when updating Apache Structs. It's very difficult to report mitigation effort and priority unless you've spoken with the system owner and understand the business impacts of doing the thing.
Therefore, I'm hesitant to add these fields for everyone without careful consideration. I'm not here to enforce a strict reporting approach, but I want Ghostwriter to encourage good reporting techniques. Reporting processes are different for consultants vs. internal teams, so the goal is flexibility.