Projects and Products
You can group scans in a Project or a Product. We created these groups for the most common use cases that you asked for:
- Project: grouping related scans into a single place
- Product: tracking security posture of a product or product line
When creating a Project or Product for the first time, you can determine its properties on the side panel:
- name
- a representing icon (only for the looks, it does not affect scan functionality)
- and the Default setting for new scans
- PRISTM scan behaviour (for all uploaded firmware)
How to create a new Product or Project?
You have two different options here, both will lead to the same result.
Create the Product or Project first
- Open the Projects or Products page on the Dashboard
- Open the Create new sidebar using the + symbol
- Chose a name and icon
- Fine-tune the Default settings for new scans
- Hit Create
Now you can open the newly created Project or Product and upload the firmware using the well known + symbol (only now it says Start scan).
Upload a firmware first
- Open the Scan page on the Dashboard
- Drag and drop or click to browse and upload a firmware
- Click + Add to product or project at the bottom of the side panel
- Type in a name or choose an existing one
- Hit Let’s roll! to start the scan that will be added to the selected Project or Product
How to change settings later?
Easy-peasy. These settings can be modified by clicking the Edit button in the header (right next to the Watch button). After making your choices hit Save on the side panel and you are good to go.
- name
- a representing icon (only for the looks, it does not affect scan functionality)
- and the Default setting for new scans
- PRISTM scan behaviour (for all uploaded firmware)
When to create a Project?
Use this grouping for project based IoT penetration testing tasks. Really, Projects are basically folders to keep things together in the BugProve ecosystem, use them as such. Originally, Project grouping was designed with security service providers in mind such as pentest labs, security evaluation firms and product security teams.
When to create a Product?
Use this grouping to track the security posture of a product or product line. This is ideal for grouping together firmware images that share the same underlying IoT device design (think firmware revisions for the same hardware model, etc.).
Let’s say you have two products: ACME-CAM-3117 (IP camera) and ACME-NVR-7165 (network video recorder). In this example you would create two Products:
- ACME-CAM-3117 (it might hold 5 firmware revisions for the camera)
- ACME-NVR-7165 (it could have 10 firmware revisions for the recorder)
If you mark a vulnerability as Accepted, Rejected or Ignored, we will apply that status to the new firmware uploads as well (if they contain the same issue). To check all status choices related to your product visit the Exploitability page (Ignored elements are not listed though).
As you upload more firmware versions it becomes more challenging to keep track of things. To avoid any confusion use the Latest version feature, it will help you to track which firmware is the latest one.