Warning
This software is NOT a release candidate and is NOT production-ready.
The code in this repository (and its dependencies) may contain vulnerabilities. The maintainers provide no warranty of any kind and accept no liability for any defect, vulnerability, data loss, security incident or other damage resulting from its use.
You install, run, evaluate and operate this software at your own risk. Do not deploy it in a production environment, and do not expose it to untrusted networks without an independent security review.
This document presents the OWASP Vulnerability Management Center (VMC) platform — its design, the requirements for running it, the installation options, the architecture and the administration panel.
Vulnerability Management Center (VMC) is a tool that facilitates and supports the process of managing vulnerabilities in an organisation. It integrates with infrastructure elements such as vulnerability scanners, publicly available knowledge bases on published vulnerabilities, IT asset inventory systems and reporting platforms. With its data-normalisation capabilities and a transparent interface, VMC presents threat information in an accessible way and alerts on deviations and anomalies.
The main innovation factor of VMC is organisation-level vulnerability analysis — as opposed to the common per-host vulnerability assessment that ignores environmental conditions. Thanks to the environmental score computed by VMC, the cybersecurity team can focus on the most exposed elements of the infrastructure, prioritising remediation based on the tool's recommendations.
The architecture allows VMC to run in any environment — a public cloud, a private cloud, a physical server or a virtual machine.
The minimum hardware footprint required for the platform to run correctly:
| Resource | Minimum |
|---|---|
| RAM | 8 GB |
| Storage | 30 GB per machine |
| CPU | 4 cores |
| Name | Minimum version | Description |
|---|---|---|
| Linux OS | Debian 12 (Bookworm) / RHEL 9 / Ubuntu 22.04 (any modern Linux with Docker) | Host OS. |
| Python 3 | 3.10 | Application runtime. |
| Nginx | any current release | https://www.nginx.com/ — proxy in front of the VMC admin. |
| Redis | 6.2 | https://redis.io/ |
| RabbitMQ | 3.12 | https://www.rabbitmq.com/ |
| Elasticsearch | 7.17 | https://www.elastic.co/elasticsearch/ |
| Kibana | 7.17 | https://www.elastic.co/kibana/ |
| PostgreSQL | 15 | https://www.postgresql.org/ |
The following vulnerability scanners are supported (optional for installation):
| Name | Version |
|---|---|
| Nessus | 7.x |
| Nessus | 8.x |
| OpenVAS | GVM protocol version 9.0 |
| OpenVAS | OMP protocol version 7.0 |
git clone https://github.com/DSecureMe/vmc.git
cd vmc
pip3 install .pip3 install vmcenterNote
The vmcenter release on PyPI may lag the latest source by one or more
cycles. For the most recent code (post-modernisation), prefer the git
checkout above.
If you want to build your own image with a specific VMC version:
git clone https://github.com/DSecureMe/vmc-docker
cd vmc-docker
make buildThe official VMC image is available on Docker Hub:
docker pull dsecureme/vmc:tagnameFor a turnkey demo (admin + scheduler + worker + Postgres + Elasticsearch +
Kibana + Ralph + TheHive + ElastAlert), use the orchestrator at
vmc-dev-toolkit:
git clone --recurse-submodules https://github.com/DSecureMe/vmc-dev-toolkit.git
cd vmc-dev-toolkit
make up all=y
make demodataAfter make demodata succeeds, the admin panel is available at
http://localhost:8080/admin/ (credentials: admin / admin).