About

SecQua is an open source project written in Python, that tries to quantify the security of a given Information System, using a novel security metric.
The data that are being used are from the National Vulnerability Database, for latest exports you may visit this link.

Dependencies

The project depends on the following open and free projects & libraries:
-Python
-MySQL Server
-SciPy
-NumPy
-matplotlib and
-MySQL-Python

Install

Ubuntu/Debian

Ubuntu users should have installed MySQL, if not run:
sudo apt-get install mysql-server
To install Python and the needed libraries open a terminal and type:
sudo apt-get install python python-mysqldb python-matplotlib python-scipy
Download the latest version and extract it in a folder. Open file config.ini and edit the file according to your MySQL installation, add your name for author of the report, fix paper size, the type of splines etc.
To import the database, extract the file named nvd_mysql.zip, open a terminal and go to the extracted file. Then type:
mysql -u root -p nvd<nvd_mysql.sql

Windows

Download and install the following:
-Python 2.7.3 Windows Installer from here
-MySQL Server from here
-SciPy 2.7 super pack from here
-NumPy 2.7 super pack from here
-matplotlib from here
-MySQL-Python from here (for easier installation, get it from here)

Open MySQL 5.5 Command Line Client and type:
create database nvd;
Open file config.ini and edit the file according to your MySQL installation, add your name for author of the report, fix paper size, the type of splines etc. Finally, open a command line and execute:
mysql -u root -p nvd<nvd_mysql.sql

Update

In order to update the database with the latest exports from National Vulnerability Database, one may use a local downloaded xml file with:
python secqua.py path/to/local/file.xml
or using the URL of the XML file:
python secqua.py http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml

Run

From the folder you extracted the files run:
python secqua.py
The program will start, asking you whether you want to export the data, the format is a typical Latex file. Afterwards SecQua will ask you about the type of categorization you want. So the sorting can be done by :
-Week day
-Month Day
-Month or
-Year day.
The default option is month day. Then the you are going to be asked about what software you want to add to your IS. The supported software is listed in the file sw_list.txt
For example typing windows will try to find any vulnerabilities regarding windows. To better quantify the security level, as the previous query will not only return results for Microsoft Windows, but for other software as well (those that have the string windows in their name), refine the query e.g. windows_server_2008 or windows_xp. Moreover you may use SQL syntax e.g. type kernel:2.6.[23][0-9] in order to search for linux kernels from 2.6.20 and above or even microsoft*.windows_server_2003 to ensure that only Microsoft products have been selected. Leave blank and press <enter> to finish with IS software.
A figure displaying the security status over the selected period will be shown and the calculated security level as well.

Output

A typical report is like this.

Licence

SecQua is licensed under the GPL ver.2. The full text of the license is available here.

 
Last edit: Constantinos Patsakis 2012-07-10