Show progress with reports
Generate, share, and download app-level and scan-level reports to share your progress with stakeholders.
Which report should I generate?
Report | Description |
---|---|
InsightAppSec Applications (Apps) Executive Report | Executive data on all the apps scanned by InsightAppSec for a selected calendar month. Use this report to show a CISO or other executives the monthly progress you are making with your application security program, or highlight areas you may need to make greater investments in. |
InsightAppSec and InsightVM | Executive data on the apps and assets scanned by InsightAppSec and InsightVM for a selected calendar month. Vulnerability management has many facets and, with this report, you can give your CISO or other executives a holistic view of your vulnerability management program. |
InsightAppSec (App) Executive Report | Executive data for an individual app scanned by InsightAppSec for a selected date range. |
Vulnerabilities Summary Report | Basic or detailed vulnerability data on a scan run for a specific application. Scan managers can use the Vulnerabilities Summary Report to get quick yet detailed insights into the most recent scan or particular scan they're reporting on. This report could also benefit engineering team managers planning for resource allocation, and identifying issues that need to be addressed. |
Vulnerabilities with Remediation Report | This report provides vulnerability data on a scan by InsightAppSec for a specific application along with remediation recommendations. |
Scan compliance reports | You can use the scan compliance reports to advise on your compliance with specific regulations. These reports allow you to see how the results of a scan compare with the regulations your organization must comply with. |
InsightAppSec reports are advisory only
If a report shows no vulnerabilities, or low severity or safe vulnerabilities, this should not necessarily be taken as affirmation of compliance.
Create a report for one or more apps
You can generate executive-level reports containing data on all of your apps from the Apps page and for an individual app from within the app.
Generate a report for multiple apps
Generate a report for multiple apps
- Click Apps in the left navigation menu.
- Click Generate Report.
- From the Generate Executive Report screen, enter a Report Name and select a calendar month. The report pulls in data for completed calendar months only, so you have to wait until the beginning of the next month to generate the report. It may take up to 7 days from the start of each month for the previous month's data to become available.
- In Report Types, select one of the following:
- InsightAppSec All App Executive Report
- Combined InsightAppSec and InsightVM Executive Report
- Click Generate Report.
Generate a report for one app
Generate a report for one app
- Click Apps in the left navigation menu.
- Select an app from the Apps vulnerability table.
- Click Generate Report.
- On the Generate Report screen, enter a Report Name and select a date range.
- Select Executive Report under Report Types.
- Select a Format Type (PDF or HTML).
- Click Generate Report.
Create a scan-level report to view vulnerabilities
You can generate scan-level reports with vulnerability or compliance-related information from within an individual scan.
Generate an InsightAppSec scan-level report
Generate an InsightAppSec scan-level report
- Click Scans in the left navigation menu.
- Select a scan from the scan-level vulnerability table. You can also select scans from within an App.
- Click Generate Report.
- From the Generate Report screen, enter a Report Name and select a Report Type.
- Select a scan report.
- Select a Format.
- Click Generate Report.
Filter scan report data
Filter scan report data
You can add filters to a scan-level report to refine the data before generating the report.
- Go to the Scans page and select a scan.
- Select the filter criteria.
- Click Apply.
- Click Generate Report.
Applied filters are visible in a banner on the Vulnerabilities Summary and the Vulnerabilities with Remediation Report in PDF or HTML format when printed.
Download previously generated reports
You can download reports created across all apps, including previously generated reports, from the Reports page located in the left navigation menu.
Types of reports you can download
You can access all app level reports for the apps that you are assigned, including:
- Single app executive report
- Scan-level vulnerability reports
- Scan-level compliance reports
You can only download the multi-app executive level reports and the combined InsightAppSec InsightVM all apps reports that you generated.
Download reports
Download reports
Only reports generated after March 28, 2022 are displayed on the Reports page. Historical reports are not available.
- Click Reports in the left navigation menu.
- Select the report(s) you want to download and click the Download button.
Learn more about reports
App Reports
InsightAppSec Apps Executive Report
This report provides an overview of all apps scanned during a selected month. The report contains the number of apps scanned, unreviewed vulnerabilities, high severity vulnerabilities and remediated vulnerabilities with each of these compared to the previous month. It also shows the top vulnerability types and the vulnerabilities by severity and status.
Combined InsightAppSec and InsightVM Executive Report
This report provides an overview of the assets and apps scanned by InsightAppSec and InsightVM. The report contains sections relating to your overall vulnerability management programs, including details on apps and assets scanned along with the vulnerabilities found and remediation efforts. Where applicable, it also showcases details on location, owner, and criticality tags.
Vulnerability Reports
Vulnerabilities Summary
The Vulnerabilities Summary is an overview of the vulnerabilities found in the app during the scan. The report is organized by vulnerability and the number of vulnerabilities found during the scan for the app.
Vulnerabilities with Remediation Report
The Vulnerabilities with Remediation report contains all vulnerabilities found in an app from the chosen scan and the recommended remediation. Before making the report, you can use a filter to focus on certain vulnerabilities. Within the report, you can view the attack type, recommendation, and replay the attack using the Rapid7 Chrome Plugin.
OWASP Reports
The OWASP foundation focused on helping organizations build more secure applications. They educate the community about top security risks to web applications along with top remediations. The OWASP Top 10 is a popular reference framework used by developers and web application security teams for guidance on the most critical security risks to web applications.
OWASP TOP 10 API Security Risks - 2023
Based on scan data, the OWASP Top 10 API Security Risks - 2023 Report shows whether the API passed or failed on each of the top 10 OWASP API security risks and related attacks. It also shows vulnerabilities within each of the top 10 issues along with the response and request data for the vulnerability.
OWASP 2021 Report
The OWASP 2021 Report shows the top 10 risks in 2021 that OWASP determined. The report shows whether you passed or failed on each OWASP Top 10-based attack for the scan. It also shows vulnerabilities within each of the top 10 issues along with the response and request data for the vulnerability.
The Log4Shell attack is not included in our OWASP Top 10 2021 attack
Although the Log4Shell Out of Band (OOB) attack is listed in the OWASP Top Ten of 2021, we exclude this attack in the OWASP 2021 attack template for efficiency.
The OOB Injection for Log4j attack significantly extends scan times, so we kept it separate from the OWASP Top 10 and All Modules attack templates.
OWASP 2017 Report
The OWASP 2017 Report shows the top 10 OWASP issues and whether you passed or failed on each for the scan. It also shows vulnerabilities within each of the top 10 issues along with the response and request data for the vulnerability.
OWASP 2013 Report
The OWASP 2013 Report shows the top 10 OWASP issues and whether you passed or failed on each for the scan. It also shows vulnerabilities within each of the top 10 issues along with the response and request data for the vulnerability.
Compliance Reports
Payment Card Industry Report (PCI Report)
The Payment Card Industry report helps you prepare for an audit, an assessment, or a questionnaire around PCI compliance. Uncovering potential issues that will affect the outcome of any of these exercises allows you to take action and secure critical vulnerabilities on any assets that deal with payment card data.
SOX Report
The SOX (Sarbanes-Oxley Compliance) details compliance issues and whether you passed or failed on each, for that particular scan. The report shows each requirement and the details of the vulnerabilities that caused you to fail, if you did.
HIPAA Compliance Results
The HIPAA compliance report shows each requirement, if you passed or failed, and the details of the vulnerabilities that caused you to fail, if you did.
GDPR Report
The GDPR report is an advisory report that shows how vulnerabilities in scanned targets might jeopardize your GDPR compliance and highlights which vulnerabilities need to be addressed.
Mapping OWASP Categories to Attack Modules
Web Application
OWASP 2021 TOP 10 Categories | Attack Module |
---|---|
A01:2021-Broken Access Control | AnonymousAccess CORS CSRF DirectoryIndexing EmailCheck ForcedBrowsing InformationDisclosure InformationLeakage JavaGrinder LocalStorageUsage LogicAttack PrivacyDisclosure PrivilegeEscalation RemoteFileInclude ResourceFinder ScriptCheck ServerConfiguration SourceCodeDisclosure UnvalidatedRedirectCheck XPoweredByHeader |
A02:2021-Cryptographic Failures | CredentialsOverUnEncryptedChannel FormCheck HTTPDowngradable SensitiveOverInsecureChannel SessionStrength |
A03:2021-Injection | BLDAPInjection BSQLInjection ExpressionLanguageInjection HttpResponseSplitting LDAPInjection NoSQLInjection NoSQLInjectionBlind OSCommanding ParameterTampering PHPCodeExecution ServerSideInclude ServerSideTemplateInjection SQLInjection SQLInjection_Auth SqlParameter XPathInjection OutOfBandStoredXSS OutOfBandXSS WebMethod XSS_DOM XSS_DOM_Comprehensive XSS_Persistent XSS_PersistentActive XSS_Reflected XSS_Simple |
A04:2021-Insecure Design | ArbitraryFileUpload BrowserCacheModule LocalStorageUsage PasswordExposure SqlErrors SessionInHttpQuery UrlRewriting ViewStateCheck |
A05:2021-Security Misconfiguration | AspNetMisconfiguration AutocompleteCheck ClientsCrossDomainPolicy CookieAttributes CSPHeaders FrontPageChecks HSTSDetection WebBeacon XmlExternalEntity |
A06:2021-Vulnerable and Outdated Components | ApacheStruts2 ApacheStrutsDetection HeartbleedCheck NginxNullCode OutOfBandLog4ShellJNDIInjection RemoteCodeExecution |
A07:2021-Identification and Authentication Failures | BruteForce BruteForceForm CommentCheck FormSessionStrength HttpAuth SessionFixation SessionUpgrade |
A08:2021-Software and Data Integrity Failures | AspNetSerialization SecureAndNotSecureContentMix SubresourceIntegrity |
A09:2021-Security Logging and Monitoring Failures | |
A10:2021-Server-Side Request Forgery | ServerSideRequestForgery ReverseProxy |
API
OWASP 2023 TOP 10 Categories | Attack Module |
---|---|
API1:2023-Broken object level authorization | LogicAttack |
API2:2023-Broken authentication | BruteForce HTTPAuth SessionFixation SessionStrength SessionUpgrade |
API3:2023-Broken object property level authorization | EmailCheck InformationDisclosure InformationLeakage PrivacyDisclosure Server Configuration SQLErrors XPoweredByHeader |
API4:2023-Unrestricted resource consumption | |
API5:2023-Broken function level authorization | AnonymousAccess Arbitrary File Upload Cross Origin Resources Sharing (CORS) CSRF Forced Browsing HTTPS Downgrade |
API6:2023-Unrestricted Access to Sensitive Business Flows | ServerSideRequestForgery |
API7:2023-Server side request forgery | CookieAttributes HTTPHeaders HTTPSEverywhere SSLStrength Unvalidated Redirect X-Content-Type-Options |
API8:2023-Security misconfiguration | |
API9:2023-Improper inventory management | |
API10:2023-Unsafe consumption of APIs | ASP.NET Serialization BLDAPInjection BSQLInjection ExpressionLanguageInjection LDAPInjection NoSQLInjection Blind NoSQLInjection OSCommanding OutOfBandLog4ShellJNDIInjection Out of Band Cross-site scripting (XSS) Out of Band Stored Cross-site scripting (XSS) Out of Band SQL Injection (OOB SQLi) ParameterTampering SQLInjection SQLInjection_Auth SQL Information Leakage SqlParameter SQL Parameter Check XMLExternalEntity XPathInjection XSS_Persistent |