To determine the priority of and next steps for a vulnerability, review the information available for each vulnerability.
What's a vulnerability?
Vulnerabilities are aspects of your app that can make it susceptible to attackers. Within each organization, app, and scan-level vulnerability you can view information about the vulnerability and replay the attack so that you can learn how to remediate it and improve the security of your application. You can leave comments on vulnerabilities to help you and others better understand and remediate the vulnerability.
What do the vulnerability statuses mean?
The following statuses help you sort and prioritize your scan results:
|Status||When is it used?|
|Unreviewed||All vulnerabilities found by a scan that need to be reviewed. This is your starting point when reviewing scan results.|
|New||Newly discovered vulnerabilities that were not found in previous scans. These vulnerabilities are marked Unreviewed and are flagged as New until reviewed or found in a subsequent scan.|
|Ignored||Vulnerabilities that were identified as potentially harmful, but users reviewed and marked Ignored after. You may want to replay the attack or otherwise verify that the Ignored vulnerabilities do not pose a threat.|
|False Positive||Vulnerabilities that users flagged as having been incorrectly found by the InsightAppSec. Users can change the status of False Positive vulnerabilities during the investigation process.|
|Verified||Vulnerabilities that users investigated and determined to have legitimate risk. Users change the status to Verified to show that it needs to be remediated.|
|Remediated||Vulnerabilities that were identified, investigated, and fixed. Users and validation scans can change the status to Remediated. If an issue is rediscovered in a subsequent scan, the status reverts back to Unreviewed.|
|Duplicate||Vulnerabilities that users determined share a similar source and can be tracked in a similar vulnerability.|
View vulnerability details
The vulnerability details displayed in InsightAppSec display information such as the vulnerability age and severity that you can use to determine the priority of the vulnerability. You can also dig deeper to view the request and response that the application used to determine the vulnerability was present.
Share vulnerabilities and results
Use the Copy Vulnerability Link button to copy and share the link to the vulnerability information. You can share this link with anyone, however only users with valid login credentials for InsightAppSec will be able to see it.
What can I learn from vulnerability details?
Vulnerability details include key information about the attack, response, and additional tracking fields that help you determine the best status and next step for the vulnerability. For example, before marking a vulnerability Ignored, you review the vulnerability details to help confirm that the vulnerability is not a risk.
To help you better understand the vulnerability, review the vulnerability details.
The attack used that resulted in the vulnerability.
InsightAppSec provides two ways to prioritize vulnerabilities by severity:
CVSS v3.1 severity, a numerical value (0-10) and associated vector string calculated using the CVSS calculator for principal characteristics of a vulnerability. For more information on CVSS scores, vector strings, and calculations, check out the CVSS specification document.
Severity level assigned to the type of vulnerability, which can either be the default module severity or the selected severity from a custom attack module.
Severity Description High High severity vulnerabilities may lead to attackers gaining complete control of the application as well as its data, trust, privacy, and/or availability. Immediate action is recommended to prevent a potentially catastrophic attack, as high severity vulnerabilities are often exploited by automated tools that do not depend upon user interaction. Medium Medium severity vulnerabilities may lead to attackers gaining partial control of the application as well as its data, trust, privacy, and/or availability. Deficiencies and errors in the application configuration are typically how these vulnerabilities are exploited. Although these types of attack require more effort and skill from the attacker, a successful breach can still have a major negative impact. Low Low severity vulnerabilities may lead to attackers gaining intelligence in preparation for an attack. For these attacks to be successful, several areas of vulnerability such as user error, poor authentication methods, and related vulnerabilities need to be aligned. Any data collected may seem harmless but could be used to facilitate a larger attack. Info These findings are simply the information we discovered about the application components and configuration. This data could be potentially useful to an attacker collecting information but has no direct impact on vulnerability exploitation.
Why are there two severity scores?
The benefit of two scores is that you can compare the score in InsightAppSec to the CVSS score. You can edit the Severity score of Info, Low, Medium, and High that is generated by InsightAppSec, but not the CVSS score generated by the CVSS 3.1 calculator. The CVSS score may show a different severity level than the Severity score due to scan configuration or user adjustment during verification. For example, a user reviews a vulnerability with high CVSS and Severity scores and determines that because the app is isolated, the risk is actually low.
For significant severity score differences, review the vulnerability history and details to verify the correct level.
When the vulnerability was first and most recently discovered, as well as how many times it was detected.
A link to the app where the vulnerability was found, a unique hexadecimal ID for the instance, and an indicator of whether this instance of the vulnerability was exported to Jira.
The URL of the web resource where the vulnerability was found and the HTTP request parameter and method that was used for the attack.
InsightAppSec can attempt multiple variations of the same attack on a URL to ensure the security of your applications against a variety of attacks. For example, you may have protected your application against some special characters in web forms, but not others. The Attack Variances section contains multiple tabs for each variation of an attack attempted by InsightAppSec.
Attack variance includes information about the following:
- Traffic snapshot
- Original. The original, non-malicious value of the parameter, which is used to observe normal behavior of the app.
- Traffic snapshot
- System error message
- In-depth description
In addition to viewing attack variance information and snapshots, you can replay the attack.
This table shows a list of all the scans where this vulnerability has been found in your environment.
When was the vulnerability last found?
If a vulnerability was last discovered in a scan over 6 months ago, the vulnerability may have been resolved. Test the vulnerability to determine if it’s still active.
The Change History shows the time a status update or severity change was made on a vulnerability, the event, and which user made the change.
Comments are a great way to add notes to yourself, communicate your comments to anyone else who is looking at the vulnerability, and learn about any previous discoveries about the vulnerability.
Admins can add, edit, and delete any comments. Users with read-write access to the app can add comments and edit and delete their own comments. Users with read-only access to the app can view comments.