Purpose

This document provides users with a overview of Web Applications. 

Introduction

The Web Application tab displays a card for each SWAT Web app showing some basic information on findings trends, fixed trends, remediation, and CVSSv3.

Prerequisites

The reader needs basic access to the OUTSCAN/HIAB account with an active SWAT subscription.

Getting Started

Open a browser and navigate to https://outscan.outpost24.com/portal.

Note

Use HTTPS protocol.

Login Portal
Enter your credentials and click on the blue arrow button to log in.

Tip

For more information about the Portal see Getting Started with the Outpost24 Portal.

Dashboard

In the Web applications view, all the SWAT assets are listed under the Overview panel on the left hand side.

Each card is a graphical representation of number of open findings, fixed findings remediated findings. a graphical representation of the CVSSv3 score and a graph showing the trends of the findings. 

Overview

Clicking the Web Application overview tree column to the left shows the Overview bar at the top is the combined data for all instances.

Selecting a specific web application changes the Overview bar to a specific information bar for the selected web app showing the name of the web app, number of assets, number of findings associated and the creation date for the selected web app.


Click on each card to see a dashboard overview and the crawl chart. By default, all the instances are listed under that web app.

Open Findings

Number of open findings

Fixed

Number of fixed findings.

Remediation

Average time for findings to be fixed.

CVSSv3

The CVSSv3 card display the findings in a graphical format according to the score of the vulnerability according to CVSS v3.0.

Findings Trend

Open vs. closed findings trend by first and last seen.

Customer Actions

Accept Risk

If a risk cannot be mitigated right away, that risk can be accepted so that it will not be picked up every time a scan runs. The risk can be accepted for a short period of time. It is customizable to what ever period of time is needed, if the risk cannot be mitigated right away.

To accept a risk.

  1. Click the Accept risk button located on the bar under the list of findings.
  2. Enter a date and a comment.
  3. Click Accept.

Request Verification

The Request Verification button is connected to the Discussions feature.

To request a verification from the Appsec team:

  1. Click the Request verification button.
    1. A Comment dialog is displayed.


  2. When the Verification request is submitted, a Comment entry is put in the Comments tab of the finding.


    1. This comment is synced together with other comments that are marked for the AppSec team to receive, and they will begin verification of the finding
  3. The AppSec team then either:
    1. Verifies that the vulnerability is present and:
      1. Update the Last seen date.
      2. Respond to the Comment.
    2. Verifies that the finding is fixed and:
      1. Mark the finding as fixed.
      2. Respond to the Comment.
  4. The finding is updated and the customer need to take action.

Findings

The Findings view shows the vulnerabilities identified during the scans.



Click on a finding to view its details on the right side of the window.

DETAILS

Shows the description of the selected finding along with the solution. 

EXPLOITS

Shows if there are any known public exploits.

COMMENTS

Comments can be a note to the finding, or the status of the finding such as resolution alternatives and so on. A comment is only applicable to that finding and can not be shared across multiple findings. Comments are threaded, in other words, it is possible to reply to a specific comment to keep this thread contained for one type of discussion which allows easy overview and segmentation of conversations. 

Tip

To access existing comments, click on the comment icon in any row to quickly launch the comments window. 

Manage Findings

Select one or more findings, and choose one of the actions that is displayed on the bottom bar:

The possible user actions are:

  • Click on Add tags to add a tag to the selected finding.
  • Click on Remove tags to remove a tag applied to the selected finding.

    Note

    See Tags for more information.
  • Click on Mark as Fixed icon, and confirm by clicking YES, to update the status of that finding as fixed
  • Click on Unmark as Fixed icon, and confirm by clicking YES, to revert the status of that finding to not fixed.

  • Click on Request verification icon to add a comment and send to the technical service team for verification regarding that finding.
  • Click on Change risk icon to change the change the risk information of that finding. 
  • Click on Accept risk icon to accept the risk. You can also select a date and add comment.
  • Click on Unaccept risk icon to revert the accepted status of that finding.
  • Click on Mark as false positive icon to mark a finding as false positive.
  • Click on Unmark false positive icon to unmark a finding as false positive.

Columns

By clicking the Filter bar next to the Main Menu, you expand the column list available to Findings. Select any Column to view in the main window.

Select a specific column to know that information about a finding. All selected columns are displayed in the Findings tab. The available options are described below.

OptionDescription

Accepted

Displays if the risk is accepted or not.

Accepted comment

Comment associated to the Accepted risk. 

Accepted until

The date when the risk is not considered accepted anymore.

Asset ID

Asset identification number

Attachment IDsAttachment identification number
BugTraq

Bugtraq identification number of the vulnerability.

CommentsIndicates if there are any comments associated to this finding
Customer IDCustomer identification number
CVECommon Vulnerabilities and Exposures (CVE) entry of the vulnerability.
CVSS v2 severity

Severity level of the vulnerability according to CVSS v2 score:

None - 0.0
Low - 0.1-3.9
Medium - 4.0-6.9
High - 7.0-8.9
Critical - 9.0-10.0

CVSS v2 vectorCommon Vulnerability Scoring System (CVSS) score of the vulnerability.
CVSS v3 severity

Severity level of the vulnerability according to CVSS v3 score:

None  -  0.0
Low  -  0.1-3.9
Medium  -  4.0-6.9
High  -  7.0-8.9
Critical  -  9.0-10.0

CVSS v3 vectorScore of the vulnerability according to CVSS v3.0.
CWEEntry identifier of vulnerability in Common Weakness Enumeration (CWE).
DescriptionDescription of the finding.

Exploit Available

Determines if there is a publicly available exploit present for this vulnerability.

False positiveShows if the vulnerability has been marked as a false positive.
False positive commentComment associated to the False positive. 
Farsight riskThis is a normalized representation of Likelihood where the range 1-38.5 is mapped to the range 0-1 (0 to 100%).
The meaning is the same for the two.
Farsight risk deltaThe change in Farsight risk delta similar to Likelihood delta but with the new range.
Farsight risk update dateDate when the Farsight Risk value was updated.
First seenWhen the vulnerability was first discovered on the specific application.

Fixed

Shows if the vulnerability has been fixed.

IDIdentification number of the vulnerability. Should only be available for super-user/main user.
ImpactDescribes what impact the finding could have on a system.
LikelihoodThe Risk score shows the likelihood of a vulnerability being weaponized and exploited in the wild over the next 12 months.
Likelihood deltaChange in the likelihood of a vulnerability being exploited.

Name

Name of the vulnerability.

OWASP 2004

Rank in the list of 10 most critical web application security risks of 2004.

OWASP 2007Rank in the list of 10 most critical web application security risks of 2007.

OWASP 2010Rank in the list of 10 most critical web application security risks of 2010.

OWASP 2013Rank in the list of 10 most critical web application security risks of 2013.
OWASP 2017Rank in the list of 10 most critical web application security risks of 2017.

Potential

Flags if this finding has been marked as a potential false positive by the system.

ReviewedTimestamp from when the finding was reviewed.
SANS 25Rank in SANS Top 25 list of most dangerous software errors.
Source

Displays the sources for a finding depending on the subscription.

Can be marked as:

Netsec

Snapshot

Assure

Swat

Scale

Cloudsec

Scout

Status

Indicates the different statuses for a finding. Can be marked

  • Present - (Default) Shows that a Finding is present after scanning.
  • Pending Verification - Shows if there is any pending verification request.
  • Fixed - Shows if the vulnerability has been fixed.
  • False Positive - The scanner is finding a risk that it is not supposed to pick up on.
  • Accepted - Displays if the risk is accepted or not.

and so on.

TagsLists all the tags associated to the finding.
Threat activityLast time date when threat activity has been detected by the watcher community.
UpdateTime since updated.
Update byIdentify who made the update.
WASCThreat classification according to Web Application Security Consortium.

For more information about Findings, see Common Portal Findings.

Tip

See Portal Filters for common filtering options in the portal.

Discussions

Starting a Discussion

You can start a discussion about a finding:

  1. Select a finding.
  2. Click the Comments tab on the right side. The Comments tab shows all your ongoing discussions.
  3. Add a new comment and click the blue Start Discussion button.


  4. To reply to a discussion, enter your reply on the Reply to conversation line and click the blue Reply button.


Starting a Discussion with the Outpost24 AppSec Team

You can start a discussion about the findings with the Outpost24 AppSec Team for review and response. 

  1. Select a finding.
  2. Click the Comments tab on the right side. The Comments tab shows all your ongoing discussions.
  3. Toggle the Start a discussion with Outpost24 switch.


  4. Add a new comment and click the blue Start Discussion button.
    The comment is sent to the Outpost 24 Appsec team.

  5. To reply to an ongoing discussion, enter your reply on the Reply to conversation line and click the blue Reply button.

    Note

    When discussing with an Outpost 24 Appsec representative, the discussion card is marked clearly with a blue sign i the top left corner of the discussion card.

Deleting a Single Comment

To delete a comment in a discussion, click on the Bin icon to the right. This removes the comment from the discussion.


The deleted comment is marked with the text "This message has been deleted".

Note

You can only delete your own comments.


Deleting a Discussion Tree

To delete the entire discussion tree, click on the Bin icon to the right on the first line in the card. This removes all conversation in the card.


The deleted discussion and all replies is marked with the text "This message has been deleted".

Note

Removing the top discussion will remove all the following replies in that discussion recursively.


Reports

Vulnerability Reports

Vulnerability Reports can be exported for one or more assets from two places:

  • Assets
  • Findings → Vulnerabilities

These reports contain all vulnerability findings associated with the selected assets.

Compliance Reports

Compliance reports can be exported for one or more assets from two places:

  • Assets
  • Findings → Compliance

These reports contain compliance requirements and their status for the selected assets.

View Templates

View Templates are saved views which includes applications, filters, grouping, and columns. Reports uses View Templates to filter the reports by predefined templates. There are some built in templates but more can be customized by the user. 

For more information, see  View Templates.

Generate Report

From the Assets view:

  1. Select one or more assets.
  2. Click on the Generate report icon located at the bottom right of the view.

    Generate Report


From the Findings→Vulnerabilities view:

You can generate a report by selecting one or more assets in the left Assets pane of the view.

  1. Select one or more assets.
  2. Click on the Generate report icon located at the bottom right of the respective column.

    Generate Report


From the Findings→ Compliance view:

  1. Select one or more assets.
  2. Click on the Generate report icon located at the bottom right of the respective column.

    Generate Report


In any of the above cases, you are prompted with the Generate Report window.

  1. Select the type of the report to be generated and click NEXT

    Note

    Note the optional template for filtering the report.

  2. Here you can re-check the scope for the report. After confirming the scope, click NEXT.


  3. Choose the report format and the level of details and click NEXT

    1. Select how detailed the generated report should be. See Report Levels for more information.

    2. A report can be exported in the most commonly and widely used document formats. 

      The available reporting formats are:

      PDF - This is the most commonly used reporting format.
      Excel - The reports generated using excel format, have a lot of tabular information, which can be useful when reporting information to IT/Security department or similar divisions.
      XML - This format is the default industry standard used for data exchange and integration. The reports generated in XML format are typically used for integration and automation.


      Select if the report should be compressed or if it should be password protected and NEXT.

  4. Choose the report delivery type:

    1. Select  Download to generate a report to be available under the All Downloads button in the right corner of the toolbar. See Download Report for more information.

      Note

      If you select Download, you cannot configure the report schedule.

    2. Select Send by email and enter one or more users to send the generated report by email. 
    3. Select Send to Report Library and enter a name and a tag for the report to save the generated report in the Report Library

  5. Reports can be scheduled for reoccurring delivery by linking a report to an existing schedule or add a new schedule.
    The available options are:

    OptionDescription
    Scheduled report name Provide a name for the Scheduled report.

    Schedule name

    Provide a name for the schedule.

    Time

    Set a time with a timezone when the schedule must be triggered. The time value is saved in UTC (Coordinated Universal Time) and the offset corresponds to the system time in the user web browser and therefore might differ for users accessing the schedule options in different time zones.

    Example: A schedule time set to 10:00 in July (summer time) by a user located in Copenhagen (UTC+2) appears as 09:00 to a user located in London (UTC+1) at the same time.

    Recurrence / Every

    Determines the frequency of the schedule. Select one of the available options in the menu:

    Option       Description
    None
    OnceThe schedule is set to run only once on a select start date. 
    HourSet the recurrence window by providing the Number of Hours.
    Day

    Set the recurrence window by providing the Number of Days in this field. 

    Example: If set to 2, it means that the schedule runs once in every 2 days.

    WeekSelect the days of the week for the schedule.
    MonthSelect the occurrence of days, weekday, day of the month for the schedule.
    YearSelect the day of year for the schedule.
    On these days

    Determines what days of the week the schedule should run. Select one of the available options in the menu.

    Occurrence of the weekday

    Determines occurrence of the selected weekday the schedule should run.

    2,3 - will schedule 2nd and 3rd selected weekday in the month

    Day of the month

    Determines what day of the month the schedule should run.

    4,8,10 - will schedule 4th, 8th, and 10th day of the month

    Starts onSet the start date for the schedule. 
    Ends onSet an end date for the schedule. The schedule becomes inactive after this date.
    Ends after_occurrencesSet the number of occurrences the schedule must be triggered before it becomes inactive.
    Never endsIf set, the schedule never becomes inactive.

    Click NEXT to create the scheduled report. The scheduled reports can be viewed under Automation in the task bar.

  6. Set the time frame for the report.


    The time frame chosen indicates that the report should cover the findings within the selected time frame.

    Example

    When you select Last month, all findings seen in the last month is then included in the report. 


    Choose Custom to select the dates to include the findings found during that period in the exported report.

  7. Click on GENERATE button.


Download Report

The Download Report view presents the list of generated reports that are ready to be downloaded:

To download a report:

  1. Click the All Downloads icon to the upper right of the window.
  2. Select the report you want to download in the list and click the Download icon.

    Download Report

Report Levels

The detail level can be adjusted based on the target recipient of the report. The amount of information varies in each type, thus making each report exclusive depending on the functionality and audience. There are three report levels available:

  • Management
  • Summary
  • Detailed

All Appsec reports contain the following sections:

  • Title page
  • Report information
  • Executive summary


Additionally, depending on the selected report level, the following sections will be included:

Report Type / Report LevelManagementSummaryDetailed
Technical details(no additional sections)Web application summary

Web application summary
Web application details

Title Page

This is the first page of each report with the title and the date when the report was generated:

Report Information

This section contains the generic information about the report:

Executive Summary

The Executive Summary shows the trend information, risk families and solutions. It provides a highly visual overview which is informative and useful to report findings to the top management:

Executive Summary

Trend

Top 10 Findings

OWASP 2017 Top 10

Risk Summary

This section provides the information like, number of findings and their severity, number of virtual hosts discovered, and scanning interval.



Risk Details

This section provides a complete and comprehensive overview of the findings. The reported findings are explained with the help of risk factor, CVSS score, port, description of the vulnerability and information fields:


 Risk Details

Report Library


Note

Report Library view is only available on OUTSCAN. When Send to Report Library option is selected on HIAB, the report is uploaded to your OUTSCAN Report Library.

Click on Report Library on the task bar to open the library, where the generated reports are saved.


Report Library

  • Tags can be added while generating the report. For more information about adding or removing Tags, refer to Common Settings.
  • Click on a report to view its details on the right panel of the window.
  • Click on Table View icon located on top right of the window to switch to table view. Re-click to view grid view.
  • Click on the Upload icon to upload the downloaded reports. You can also drag and drop the reports to upload. 
  • Click on the Download icon on the report to download a saved report.

Tip

For more information about Reports, see Common Portal Reports.





Copyright

© 2022 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.