Requirements
- A Security Scorecard Portfolio Name
- Security Scorecard allows users to create portfolios to track groups of Companies to track.
- We recommend creating a Portfolio for NopSec use specifically by only placing your the company's you want to bring in as vuln instances into NopSec.
- A Security Scorecard API Token (see below for steps)
Permissions
- A NopSec user with the permissions of:
- Integrations.read
- Integrations.write
- We require the Security Scorecard API to have read access and be part of the team who has access to the Portfolio you will use.
Steps to configure
You can create a bot user, to prevent a scenario where human users attempt to refresh an expired API token, causing your integration or API access to stop working. A bot user does not expire.
We also refer to a bot user as a service account since it is not associated with any individual person.
Note: If you do not have administrative permissions in SecurityScorecard, ask an administrator to create the user and API token for you.
- In SecurityScorecard, click your profile avatar and select My Settings.
- On the People Management tab under Admin Settings, click Invite People.
- Make the new user a bot so that it will not expire. This prevents a scenario where human users attempt to refresh an expired API token, causing the integration to stop working.
- Name the bot user and select the desired Access Level (here Read Only if the purpose is only to retrieve/get data from the platform). Then click Add User.
- Click Create API token for the new bot user.
- Click Confirm.
- Copy the API token and click Done. Store the token securely.
Configure Integration in NopSec
- Open NopSec and click on Integrations
- Click on Vulnerability Tab
- Find Security Scorecard
- Click on Add Integration
- Give your integration a connection name like "SecurityScorecard - "
- If you would like to separate companies by integration you can name them uniquely here.
- As of 8/2/24 there is a small UI bug which will be fixed by 8/5/24
- Where the UI says Username this should say Portfolio Name
- Where the UI says Password this should say API Token
- Click Save and Connect
- Click on Sync History Tab
- Refresh every few minutes to see the updated status
- The first sync is only scheduled to retrieve 24 hours worth of data
- Once task is completed, ie. FINISHED then you may go to Prioritize and see your results
Security Scorecard
NopSec ingests Security Scorecard issues for all companies in a portfolio.
Each Company in Security Scorecard manages and scans a list of Domain Names as FQDNs or URLs. These are ingested into NopSec as Targets.
Each Company Domain is associated with Issues within Security Scorecard and NopSec ingests those items as Vuln Instances that are associated to specific Targets, ie. Domains.
We do not currently ingest the following (as of 8/2/24)
- Security Scorecard Plans
- Security Scorecard Company IPs
- Security Scorecard Attack Surface Management data
- Security Scorecard Grades at the company level.