Purpose

This document provides users with a comprehensive overview of the Assets. It is assumed that the reader has basic access to the OUTSCAN/HIAB account with an Appsec subscription.

Introduction

Assets are groups of unique hosts found during the discovery stage or added automatically while creating a configuration. An asset can also be linked to a group of configurations, and one asset can have hundreds of configurations which are being scheduled and scanned independently.

These assets are defined based on their IP, Docker Registry, or hostname. Their risk profile in form of top recommended solutions and risk charting provide a quick way of assessing the criticality of an asset, its association with other assets and already performed scans.

Assets

What are Assets?

Assets are groupings of one or several identifiers such as IP addresses and host names that represent distinct resources customers wants to secure. As such, an asset may represent entities such as:

  • An employee's laptop
  • A publicly available website, hosted on a domain for example example.com and served from one or more physical or virtual servers
  • A database server only accessible from within an internal, protected network
  • An OCI image served from a private container registry
  • Resources hosted on a cloud service provider

As Outpost24 services scan and analyze targets, findings are generated and associated with the corresponding assets.

How are Assets Created and Updated?

Assets are managed either along with the creation of a new scan configuration, or dynamically on discovering Docker images or assessing cloud resources.

What Type of Identifiers Exist?

(Asset identifiers table with short descriptions?)

Valid Asset Composition

Not all identifier types may exist within the same asset simultaneously. The below matrix summarizes how assets may be composed.

Asset Composition Constraints

There are a few constraints for how many asset identifiers can compose an asset and which asset identifier types can co-exist within an asset:

Asset Identifiers/AssetServerAWS AccountDocker ImageGCP AccountMAZ Account
AWS_ACCOUNT_IDNotMustNotNot

Not

AWS_REGIONNotMustNotNot

Not

DOCKER_IMAGENotNotMustNot

Not

DOCKER_REGISTRYNotNotMustNot

Not

GCP_PROJECT_IDNotNotNotMust

Not

HOSTNAMEMayNotNotNotNot
IPMayNotNotNotNot
MACMayNotNotNotNot
MAZ_TENANT_IDNot

Not

NotNotMust
NETBIOS

May

Not

NotNotNot
SEED_PATH

May

May

MayMayMay

Green - Asset identifiers that must exist in an asset
Orange - Asset identifiers that may exist in an asset
Red - Asset identifiers that must not exist in an asset

Asset Naming

Assets names is auto-generated by the system and is derived from underlying identifiers.

The asset names is a customizable attribute and can be changed.

Changes from Previous Versions of Portal

Previously the Assets view provided access to individual identifiers. In addition to flooding the view with many top-level records, this frequently meant having to traverse between linked records (for example hostname -> IP) in order to review updated information.
Grouping related identifiers together as assets allows for accessing information of importance faster and more coherently; for example, findings obtained from distinct IP addresses may all be united under the overarching webshop which they all serve.

Customizing the Asset View

The Assets view lists all tracked assets. 

To customize the view,

  1. Click on Filter icon to see the available columns and filtering options. See Common Settings, for more information. 
  2. Add desired columns by clicking on the Show/Hide Column icon.




Select an asset to view its details on the right side of the window.

Assets - Details

RISK PROFILE

Displays the information about when the asset was first seen, last seen and the risk overviews associated with that specific asset. 

SCANS

Displays list of scans along with the status and results of each scan of that asset.

URLS

STATUS


CONFIGURATIONS

Takes you to Scan Configurations.

ASSOCIATIONS

Displays the IPs, host names and services associated with the selected asset.

Merging Assets

You can select multiple assets identifiers and merge them into a asset by clicking on the Merge icon at bottom of the table.

This displays an information box explaining what asset identifiers is going to be merged and the consequences thereof.

Click on the Merge Asset button to confirm the merge.

warning

Any data, such as findings and configurations, associated with the assets that is merged will be lost in the merge.

Splitting Assets

To split assets, click on the asset, choose the Associations tab and select the identifiers to be split from the Asset.

Then click the Split Asset button. This displays an information box explaining that you are about to split an asset, meaning that a new asset will be created containing the selected asset identifiers.

To confirm the split click on the Split Asset button.

Note

When splitting an Asset, at least one asset identifier need to be left in the asset.

To undo a split, just merge the asset identifiers again.


SWAT Assets (SWAT Only)

The SWAT Assets view lists all of the SWAT web applications and instances. 

Select an application to view its details on the right side of the window. 

SWAT Assets - Details

FINDINGS

FINDINGS

The Findings tab presents a pie graph with a summary of all of the findings and their severity based on CVSS v2 scoring system. A list of the findings used to build the chart can be found underneath. Clicking on any of the findings takes you directly to the findings section and automatically open the details of the finding. The table inside the Findings tab is also automatically filtered by the instance that you are viewing. If you wish to go back to SWAT Assets view, either click on the SWAT Assets button in the upper menu or use back button or perform a back action in your browser to return.

OWASP TOP 10

The OWASP Top 10 tab presents an overview of the OWASP Top 10 2017 application security risk areas in which vulnerabilities were detected:

OWASP Top 10

EXECUTIVE SUMMARY

If executive summary is available for the selected application, it is displayed here.

EXECUTIVE SUMMARY

Add Assets

See Add a Configuration, for information on how to add an asset. 

Configure Authentication for an Asset

See AUTHENTICATION, for configuring authentication for an asset.

Manage Assets

Select an asset to view the additional user actions.

Manage Assets


  1. Click on Configure Asset, to make a default configuration for the selected asset.

  2. Click on Submit for Scoping, to submit the selected assets for scoping.

    Submit for Scoping

    Fill in the required details and click SUBMIT.

    OptionDescription
    Solution

    Apply a solution to the targets that you submit for scoping.

    Target Start Date

    The date for the testing to start. If the desired date is unavailable, a new date is suggested.

    Assets

    The URL of the specific application that should be covered by this test.

    Administration interface URLs

    Any administration interface present on the application.

    Out of scope URLs

    URLs that are not considered to be in scope of the testing. Example: a feature hosted by a third party.

    Known sensitive functionality

    Any known sensitive functionality that may be affected by security testing.

    Accounts

    Test credentials to be used during testing. Either basic authentication or web-based.

    Components and Technologies

    Standard components and technologies used by the web application like Drupal, ASP .NET, MongoDB.

    Focus Areas

    The part of the web application that is most important to test, e.g. order section, administer users, searching etc.

  3. See Tags to know how to add or remove tags to an asset.

  4. Click on Generate report to download a report. See Reportsfor more information. 

  5. Delete Assets

    1. Select the assets to be deleted, and click on the Delete button at the bottom of the view.
    2. Confirm the action by clicking DELETE.

      Delete Assets


Deleting assets removes data associated with the asset findings. It however does NOT remove the associated configurations, schedules, scans or other assets linked to the deleted asset.




Copyright

© 2022 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.