Purpose

This document provides users with a overview of Web Applications.

Introduction

The Web Application tab displays a card for each SWAT Web app showing some basic information on findings trends, fixed trends, remediation, and CVSSv3.

Prerequisites

The reader needs basic access to the OUTSCAN/HIAB account with an active SWAT subscription.

Getting Started

Open a browser and navigate to https://outscan.outpost24.com/portal.

Use HTTPS protocol.

Login Portal
Enter your credentials and click on the blue arrow button to log in.

For more information about the Portal see Getting Started with the Portal.

Dashboard

In the Web applications view, all the SWAT assets are listed under the overview panel on the left hand side.

Each card is a graphical representation of number of open findings, fixed findings remediated findings. a graphical representation of the CVSSv3 score and a graph showing the trends of the findings.

Overview

Clicking the Web application overview tree column to the left shows the overview bar at the top is the combined data for all instances.

Selecting a specific web application changes the overview bar to a specific information bar for the selected web app showing the name of the web app, number of assets, number of findings associated and the creation date for the selected web app.

Clicking on Asset, Findings, Open Findings, and Closed Findings cards opens a filtered view in Asset or Findings for each of the cards respectively.

Open Findings

Number of open findings.

Fixed

Number of fixed findings.

Remediation

Remediation is an average of days between the first day a finding was detected and the last day for all findings belonging to an asset.

CVSSv3

The CVSSv3 card display the findings in a graphical format according to the score of the vulnerability according to CVSS v3.0.

Clicking on the various colored parts of the CVSSv3 diagram bring you to a filtered list in the Findings Vulnerability view.

Findings Trend

Open vs. closed findings trend by first and last seen.

Customer Actions

Accept Risk

If a risk cannot be mitigated right away, that risk can be accepted so that it will not be picked up every time a scan runs. The risk can be accepted for a short period of time. It is customizable to what ever period of time is needed, if the risk cannot be mitigated right away.

To accept a risk.

Click the Accept risk button located on the bar under the list of findings.
Enter a date and a comment.
Click Accept.

Request Verification

The Request Verification button is connected to the Discussions feature.

To request a verification from the AppSec team:

Click the Request verification button.
1. A Comment dialog is displayed.
When the Verification request is submitted, a Comment entry is put in the Comments tab of the finding.
1. This comment is synced together with other comments that are marked for the AppSec team to receive, and they will begin verification of the finding
The AppSec team then either:
1. Verifies that the vulnerability is present and:
  1. Update the Last seen date.
  2. Respond to the Comment.
2. Verifies that the finding is fixed and:
  1. Mark the finding as fixed.
  2. Respond to the Comment.
The finding is updated and the customer need to take action.

Findings

The Findings view shows the vulnerabilities identified during the scans.

Click on a finding to view its details on the right side of the window.

Details

The Details tab shows the description of the selected finding along with the solution.

Asset

The affected asset. Clicking the asset name takes you to the asset view for more information.

Solution

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as Low, Medium, High, and Critical) to help organizations properly assess and prioritize their vulnerability management processes.^[1]

In the solution field both CVSS v2 and CVSS v3 base scores are displayed. If Environmental vector exists, it is displayed as a second section with metrics and the score is adjusted.

CWE

Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weaknesses that have security ramifications. A weakness is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.^[2]

CAPEC

Common Attack Pattern Enumerations and Classifications (CAPEC™) is a catalog of known cyber security attack patterns used to prevent attacks.^[3]

OWASP

The OWASP Top 10 is a standard awareness document for developers and web application security. ^[4]

OWASP Top 10

Description

Secure Code Warrior is a cyber security company, specializing in the area of secure code training.

First seen

When the vulnerability was first discovered on the specific application.

Last Seen

When the vulnerability was last seen on the specific application.

Exploits

Shows if there are any known public exploits from various sources.

Only visible Farsight users. To use Farsight you first need to enable the function in your subscription. Contact support for more information on how you can enable the Farsight function.

Farsight

The Likelihood feature in Outpost24 Farsight provides an easier way to address vulnerabilities which are relevant and may impact an organization irrespective of the CVSS score or the presence of an exploit for a vulnerability.

By focusing on the likelihood, you are mitigating vulnerabilities that, based on the machine learning model, are predicting an increased risk even though it may not currently be exploited.

Risk classification of assets serves a purpose and should be conducted to further distinguish where to focus most efforts. This task can be time-consuming and may not produce viable results in the first couple of iterations. Farsight enables you to filter out some unlikely vulnerabilities with little to no prior knowledge about the vulnerabilities or assets, getting you on track with your vulnerability program faster.

Risk Score - Likelihood

Likelihood is a risk indicator that shows how many times more likely a vulnerability is to be exploited compared to average, where approximately 95% of all vulnerabilities are never exploited. This is displayed in the Likelihood column in the Findings view. The value can go from 1 to 100 where 100 is the equivalent of saying it will be (or has been already) exploited in the wild in the next 12 months. The benefit to the customer is the ability to drive more aggressive risk-based remediation, focusing on even fewer vulnerabilities that reach a particular likelihood.  It is also worth noting that any vulnerability already exploited in the wild will have the risk value of 100 as it has been exploited already.

Since risk score is machine learning driven, based on several factors the risk rating can decrease as well as increase based on activity in the wild.

Option	Description
Score	Risk indicator that shows how much more likely a vulnerability is to be exploited compared to average. The risk indicator present the likelihood values in an 0-100% (0-1) format.
Delta	Is the difference between the current and the former likelihood values.
Update date	Date when the Delta value changed.
Threat activity	Last time date when threat activity has been detected by the watcher community.

Exploits

Option	Description
Source	Source of the exploit information, for example Farsight, Exploit Database.
CVE	Common Vulnerabilities and Exposures (CVE) entry of the vulnerability.
Name	Name of the exploit associated with the vulnerability.
URL	Link to more information of the exploit in the source.

Comments

Comments can be a note to the finding, or the status of the finding such as resolution alternatives and so on. A comment is only applicable to that finding and can not be shared across multiple findings. Comments are threaded, in other words, it is possible to reply to a specific comment to keep this thread contained for one type of discussion which allows easy overview and segmentation of conversations.

Tip

To access existing comments, click on the comment icon in any row to quickly launch the comments window.

Manage Findings

Select one or more findings, and choose one of the actions that is displayed on the bottom bar:

The possible user actions are:

Click on Add tags to add a tag to the selected finding.
Click on Remove tags to remove a tag applied to the selected finding.

See Tags for more information.
Click on Mark as Fixed icon, and confirm by clicking YES, to update the status of that finding as fixed.
Click on Unmark as Fixed icon, and confirm by clicking YES, to revert the status of that finding to not fixed.
Click on Request verification icon to add a comment and send to the technical service team for verification regarding that finding.
Click on Change risk icon to change the change the risk information of that finding.
Click on Accept risk icon to accept the risk. You can also select a date and add comment.
Click on Unaccept risk icon to revert the accepted status of that finding.
Click on Mark as false positive icon to mark a finding as false positive.
Click on Unmark false positive icon to unmark a finding as false positive.

Columns

By clicking the Filter bar next to the Main Menu, you expand the column list available to Findings. Select any Column to view in the main window.

Select a specific column to know that information about a finding. All selected columns are displayed in the Findings tab. The available options are described below.

Option	Description
Accepted	Displays if the risk is accepted or not.
Accepted comment	Comment associated to the Accepted risk.
Accepted until	The date when the risk is not considered accepted anymore.
Alternative Recreation	Alternative to Recreation step-by-step instructions for how to reproduce the finding.
Asset ID	Asset identification number.
Asset name	The name given to the Asset.
Attachment IDs	Attachment identification number.
BugTraq	Bugtraq identification number of the vulnerability.
CAPEC	List of Common Attack Pattern Enumeration and Classification (CAPEC) identifiers.
Check ID	Outpost24 own vulnerability check identifier.
Comments	Indicates if there are any comments associated to this finding.
Created	The date when the finding was created.
Created by	The user who created the finding, empty if created by the system.
Custom BugTraq	Custom Bugtraq identification number of the vulnerability.
Custom CVE	Custom Common Vulnerabilities and Exposures (CVE) entry of the vulnerability.
Custom CVSS v2 vector	Custom CVSS score represented as a vector string, a compressed textual representation of the values used to derive the score.
Custom CVSS v3 vector	Custom CVSS score represented as a vector string, a compressed textual representation of the values used to derive the score.
Custom CWE	Custom entry identifier of vulnerability in Common Weakness Enumeration (CWE).
Custom description	Custom description of the finding.
Custom name	Custom name of the finding.
Custom solution	Custom suggested action required to remediate this vulnerability.
Customer ID	Customer identification number.
CVE	Common Vulnerabilities and Exposures (CVE) entry of the vulnerability.
CVSS v2 base score	The Base score reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assumes the reasonable worst case impact across different deployed environments.
CVSS v2 environmental score	The Environmental score represents the characteristics of a vulnerability that are unique to an environment. It adjust the Base and Temporal severities to a specific computing environment.
CVSS v2 score	A CVSS score is combined score value of the metrics from the underlying components for the Base, Temporal, Environmental.
CVSS v2 severity	Severity level of the vulnerability according to CVSS v2 score: None - 0.0 Low - 0.1-3.9 Medium - 4.0-6.9 High - 7.0-8.9 Critical - 9.0-10.0
CVSS v2 temporal score	The Temporal score reflects the characteristics of a vulnerability that change over time, and adjust the Base severity metrics, such as the availability of exploit code.
CVSS v2 vector	The CVSS score represented as a vector string, a compressed textual representation of the values used to derive the score.
CVSS v3 base score	The Base score reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assumes the reasonable worst case impact across different deployed environments.
CVSS v3 environmental score	The Environmental score represents the characteristics of a vulnerability that are unique to an environment. It adjust the Base and Temporal severities to a specific computing environment.
CVSS v3 score	A CVSS score is combined score value of the metrics from the underlying components for the Base, Temporal, Environmental.
CVSS v3 severity	Severity level of the vulnerability according to CVSS v3 score: None - 0.0 Low - 0.1-3.9 Medium - 4.0-6.9 High - 7.0-8.9 Critical - 9.0-10.0
CVSS v3 temporal score	The Temporal score reflects the characteristics of a vulnerability that change over time, and adjust the Base severity metrics, such as the availability of exploit code.
CVSS v3 vector	The CVSS score represented as a vector string, a compressed textual representation of the values used to derive the score.
CWE	Entry identifier of vulnerability in Common Weakness Enumeration (CWE).
Description	Description of the finding.
Exploit Available	Determines if there is a publicly available exploit present for this vulnerability.
False positive	Shows if the vulnerability has been marked as a false positive.
False positive comment	Comment associated to the False positive.
First Scan ID	The identifier of the first scan that produced this finding.
First seen	When the vulnerability was first discovered on the specific asset.
Fixed	Shows if the vulnerability has been fixed.
ID	Identification number of the vulnerability. Should only be available for super-user/main user.
Impact	Describes what impact the finding could have on a system.
Is accepted	Indicates if the finding has been accepted or not.
Last scan ID	The identifier of the last scan that produced this finding.
Last seen	When the vulnerability was last seen.
Match IDs	A list of match identifiers associated with this finding.
Name	Name of the vulnerability.
OWASP 2004	Rank in the list of 10 most critical web application security risks of 2004.
OWASP 2007	Rank in the list of 10 most critical web application security risks of 2007.
OWASP 2010	Rank in the list of 10 most critical web application security risks of 2010.
OWASP 2013	Rank in the list of 10 most critical web application security risks of 2013.
OWASP 2017	Rank in the list of 10 most critical web application security risks of 2017.
OWASP 2021	Rank in the list of 10 most critical web application security risks of 2021.
Potential	Flags if this finding has been marked as a potential false positive by the system.
Quality assured	Indicates when the finding was quality assured.
Recreation	Step-by-step instructions for how to reproduce the finding.
Reviewed	Timestamp from when the finding was reviewed.
SANS 25	Rank in SANS Top 25 list of most dangerous software errors.
Solution	Suggested action required to remediate this vulnerability.
Source	Displays the sources for a finding depending on the subscription. Can be marked as: - Finding originates from Vulnerability Management. - Finding originates from SWAT/Snapshot. - Finding originates from SWAT/Assure. - Finding originates from SWAT. - Finding originates from Application Security Testing. - Finding originates from Cloud Security Assessment. - Finding originates from Application Security Testing.
Status	Indicates the different statuses for a finding. Can be marked - (Default) Shows that a Finding is present. - Shows if there is any pending verification request. - Indicates that a finding has been marked as fixed. - Indicates that a finding has been marked as a false positive. - Indicates that a finding has been marked as an accepted risk. - Indicates that a finding can currently not be reproduced by the AppSec team, only applicable to SWAT/Snapshot/Assure/Verify findings.
Tags	Lists all the tags associated to the finding.
Threat activity	Last time date when threat activity has been detected by the watcher community.
Update	Time since updated.
Update by	Identify who made the update.

For more information about Findings, see Findings Overview.

See Portal Filters for common filtering options in the portal.

Discussions

Discussions about a finding are normally customer-internal. Only when eligible (via associated subscription) may a dialog between customer and the Outpost24 AppSec team be initiated.

Starting a Discussion

You can start a discussion about a finding:

Select a finding.
Click the Comments tab on the right side. The Comments tab shows all your ongoing discussions.
Add a new comment and click the blue Start Discussion button.
To reply to a discussion, enter your reply on the Reply to conversation line and click the blue Reply button.

Starting a Discussion with the Outpost24 AppSec Team

You can start a discussion about the findings with the Outpost24 AppSec Team for review and response.

Select a finding.
Click the Comments tab on the right side. The Comments tab shows all your ongoing discussions.
Toggle the Start a discussion with Outpost24 switch.

The Start a discussion with Outpost24 toggle is displayed if and when the underlying finding is eligible.
Add a new comment and click the blue Start Discussion button.
The comment is sent to the Outpost 24 AppSec team.
To reply to an ongoing discussion, enter your reply on the Reply to conversation line and click the blue Reply button.

When discussing with an Outpost 24 AppSec representative, the discussion card is marked clearly with a blue sign i the top left corner of the discussion card.

Deleting a Single Comment

To delete a comment in a discussion, click on the Bin icon to the right. This removes the comment from the discussion.

The deleted comment is marked with the text "This message has been deleted".

You can only delete your own comments.

Deleting a Discussion Tree

To delete the entire discussion tree, click on the Bin icon to the right on the first line in the card. This removes all conversation in the card.

The deleted discussion and all replies is marked with the text "This message has been deleted".

Removing the top discussion will remove all the following replies in that discussion recursively.

Summary

The Executive Summary is a text aimed to describe the overall security level of the application in question. This includes a brief summary of the general security status as well as the identified vulnerabilities.

To see the Summary:

Click on Summary button in the upper right corner of the status-bar in the Web applications dashboard.
The field Summary Updated indicates when the summary was last updated.

Reports

To export reports for web applications from the Portal UI:

Select a web application.
Click on the Report button near top right corner.
The options available to choose from are similar to generating a report for Assets, beside Vulnerabilities being the only available type of report.

Reports uses View Templates to filter the reports by predefined templates. The built-in SWAT template is pre-selected and filters out fixed findings by default.
Continue with the same steps as in a normal Report.
For more information, see Reports.

Note that the user who requests the WebApp report may only see vulnerabilities and summaries to which they have access privilege. For example, a main user sees everything, but a sub-user with limited privilege will only see reports about the assets that they can access in the WebApp.

If all assets or asset groups related to a scheduled report configuration are deleted, the scheduled report configuration will be automatically removed.

_Copyright

_{© 2023 Outpost24® All rights reserved.}_{This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}