Using Rapid Vulnerability Detection

This page explains how to view and manage findings for Rapid Vulnerability Detection, a built-in service for Security Command Center Premium that finds critical vulnerabilities in your App Engine applications and Compute Engine virtual machines.

Overview

Rapid Vulnerability Detection performs active scans of public endpoints. It detects vulnerabilities that have a high likelihood of being exploited, including weak credentials, incomplete software installations, and other known critical vulnerabilities. Findings are written to Security Command Center. To learn more, see Rapid Vulnerability Detection overview.

Resource usage

Generally, the greater the number of endpoints in a VM, and the more services that are hosted by the VM, the greater the number of scans that Rapid Vulnerability Detection must perform, because each endpoint and application requires a separate scan.

Because networking traffic during Rapid Vulnerability Detection scans is billed as egress traffic, these scans might incur additional costs.

Consider a project or an organization whose scan targets are all within North American regions. If a single scan uses an estimated 200 KB of egress traffic and 100,000 scans are run monthly, total traffic would be 20 GB.

For more information about potential costs that are associated with the resource usage by scan targets, see Security Command Center pricing.

Before you begin

You need adequate Identity and Access Management (IAM) roles to view or edit findings, and modify Google Cloud resources. If you encounter access errors in Security Command Center, ask your administrator for assistance and see Access control to learn about roles.

Enabling Rapid Vulnerability Detection

When you enable Rapid Vulnerability Detection on an organization, folder, or project, Rapid Vulnerability Detection automatically scans all supported resources in the organization or project.

To enable Rapid Vulnerability Detection, follow these steps:

Console

In the Google Cloud console, you enable Rapid Vulnerability Detection on the Services page. You can enable Rapid Vulnerability Detection for specific projects.

Go to Services

API

To enable Rapid Vulnerability Detection for an organization, folder or project, send a PATCH request:

curl -X PATCH -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/rapidVulnerabilityDetectionSettings \
-d '{"serviceEnablementState": "ENABLED"}'

Replace the following:

  • X_GOOG_USER_PROJECT: the project to bill for access charges associated with Rapid Vulnerability Detection scans.
  • RESOURCE: the type of resource to be scanned. Valid values are organizations, folders, or projects.
  • RESOURCE_ID: the identifier of the resource to be scanned. For organizations and folders, enter the organization or folder number. For projects, enter the project ID.

The scans start automatically within 24 hours or so after you first enable Rapid Vulnerability Detection. After the first scan, Rapid Vulnerability Detection runs managed scans weekly.

To test Rapid Vulnerability Detection, you can set up test resources. To include test resources in the first Rapid Vulnerability Detection scan, create the resources in the project before the project is added to the Rapid Vulnerability Detection scan list.

For more information about how to enable built-in services like Rapid Vulnerability Detection, see configuring Security Command Center resources.

Scan latency and interval

After Rapid Vulnerability Detection is enabled for a project, there might be a delay of up to 24 hours before the first scan starts and findings appear in Security Command Center.

Rapid Vulnerability Detection performs subsequent scans weekly from the date of the first scan. If new resources are added to projects in between scans, Rapid Vulnerability Detection will not scan the resources until the next weekly scan.

Testing Rapid Vulnerability Detection

To confirm that Rapid Vulnerability Detection is working, you can use the open source Testbed for Tsunami Security that is available on GitHub to generate findings for vulnerabilities such as a weak password or a path traversal and disclosure vulnerability. For more information, see google/tsunami-security-scanner-testbed.

Reviewing findings

Rapid Vulnerability Detection's managed scan feature automatically configures and schedules scans for each of your in-scope projects.

Findings contain detected vulnerabilities and information about affected projects. Vulnerabilities are reported for projects, not specific scan targets (endpoints and application software) or VMs contained within projects.

You can view findings in the Google Cloud console or by using Security Command Center API.

Reviewing findings in Security Command Center

To review Rapid Vulnerability Detection findings in Security Command Center, follow these steps:

  1. Go to the Findings page in the Google Cloud console.

    Go to Findings

  2. Under Quick filters, scroll down to Source display name and click Rapid Vulnerability Detection. The Finding query results update to show only findings that were produced by Rapid Vulnerability Detection.

  3. To view the details of a specific finding, click the finding name under Category. The finding details panel opens.

    • To view a summary of the finding details, which is the default view, under the finding name, click Summary.
    • To view the full details of the finding, under the finding name, click JSON.

Displaying all findings for a port or IP address

A scan target might serve multiple web applications on the same port. Rapid Vulnerability Detection identifies and scans all known applications served on a port and might generate multiple findings for individual ports and IP addresses.

To display all findings associated with a given IP address in a scan, do the following:

  1. Go to the Findings page in the Google Cloud console:

    Go to Findings

  2. Click on Edit query. The following default query is displayed in the query editor:

    state="ACTIVE"
    AND NOT mute="MUTED"
    
  3. Click Add filter. The Select filter panel opens.

  4. In the left column, scroll down and select Connections. The column on the right is updated to show connection properties.

  5. In the right column, select the type of property that you want to add to the filter. A new column opens to show all of the properties of that type that are contained in the available findings.

  6. From the displayed properties, select one or more destination or source IP addresses or ports to add your query.

  7. Click Apply. The query in the Query editor panel is updated to include the IP address, as shown in the following example:

      state="ACTIVE"
      AND NOT mute="MUTED"
      AND parent_display_name="Rapid Vulnerability Detection"
      AND contains(connections, source_ip="203.0.113.1")
    
  8. Click APPLY.

    All Rapid Vulnerability Detection findings with that IP address are displayed in the Findings query results.

To review findings using Security Command Center API, see Listing security findings using the Security Command Center API.

To view a complete list of Rapid Vulnerability Detection findings and suggested remediation steps, see Rapid Vulnerability Detection findings and remediations.

Filtering findings in the Google Cloud console

A large organization might have many vulnerability findings across their deployment to review, triage, and track. By using filters that are available on the Security Command Center Vulnerabilities and Findings pages in the Google Cloud console, you can focus on the highest severity vulnerabilities across your organization, and review vulnerabilities by asset type, project, and more.

For more information about filtering vulnerability findings, see Filter vulnerability findings in Security Command Center.

Mute findings

To control the volume of findings in Security Command Center, you can manually or programmatically mute individual findings or create mute rules that automatically mute current and future findings based on filters you define.

Muted findings are hidden and silenced, but continue to be logged for audit and compliance purposes. You can view muted findings or unmute them at any time. To learn more, see Mute findings in Security Command Center.

Disabling scans

When you disable Rapid Vulnerability Detection on an organization or a project, the service stops scanning all supported resources in that organization or project.

To disable Rapid Vulnerability Detection, follow these steps:

Console

In the Google Cloud console, you disable Rapid Vulnerability Detection on the Services page. If Security Command Center is activated at the organization level, you can disable Rapid Vulnerability Detection for the entire organization or for specific projects.

Go to Services

For more information about how to disable built-in services like Rapid Vulnerability Detection, see configuring Security Command Center resources.

API

To disable Rapid Vulnerability Detection on your organization or project, send a PATCH request:

curl -X PATCH -H "Authorization: Bearer \"$(gcloud auth print-access-token)\"" \
-H "Content-Type: application/json; charset=utf-8" \
-H "X-Goog-User-Project: X_GOOG_USER_PROJECT" \
https://securitycenter.googleapis.com/v1beta2/RESOURCE/RESOURCE_ID/rapidVulnerabilityDetectionSettings \
-d '{"serviceEnablementState": "DISABLED"}'

Replace the following:

  • X_GOOG_USER_PROJECT: the project being billed for access charges associated with Rapid Vulnerability Detection scans.
  • RESOURCE: the resource that you want to stop scanning. Valid values are organizations, folders, or projects. on (organizations or projects).
  • RESOURCE_ID: the identifier of the resource to stop scanning. For organizations and folders, enter the organization or folder number. For projects, enter the project ID.

What's next