Purpose

This document provides users with an overview of Findings. 

Introduction

Findings are the potential risks and recommended reconfiguration suggestions found during automatic and manual assessments of the target asset. These vary from security best practices which lower the attack surface of the target to exploitable vulnerabilities that were verified and confirmed as being present and relevant for the target.

Findings include their classification, risk score and information describing what it is, why it was found and how an attacker might be able to exploit the vulnerability as well as provide clear solutions to remediate the risk.

The Findings view will be visible without a Appsec subscription, but the view will be empty and you will not be able populate the view.

Requirements

It is assumed that the reader has basic access to the OUTSCAN/HIAB account with Appsec subscription. 

Findings 

The Findings view shows the vulnerabilities identified during the scans.

Click on a finding to view its details on the right side of the window.

Details

The Details tab shows the description of the selected finding along with the solution. 

Asset

The affected asset. Clicking the asset name takes you to the asset view for more information.

Solution

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as Low, Medium, High, and Critical) to help organizations properly assess and prioritize their vulnerability management processes.[1] 

In the solution field both CVSS v2 and CVSS v3 base scores are displayed. If Environmental vector exists, it is displayed as a second section with metrics and the score is adjusted.

CWE

Common Weakness Enumeration (CWE™) is a community-developed list of common software and hardware weaknesses that have security ramifications. A weakness is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.[2]

CAPEC

Common Attack Pattern Enumerations and Classifications (CAPEC™) is a catalog of known cyber security attack patterns used to prevent attacks.[3]

OWASP

The OWASP Top 10 is a standard awareness document for developers and web application security. [4]

OWASP Top 10

Description

Secure Code Warrior is a cyber security company, specializing in the area of secure code training.

First seen

When the vulnerability was first discovered on the specific application.

Last Seen

When the vulnerability was last seen on the specific application.


Exploits

Shows if there are any known public exploits from various sources.

Only visible Farsight users. To use Farsight you first need to enable the function in your subscription. Contact support for more information on how you can enable the Farsight function.


Farsight

The Likelihood feature in Outpost24 Farsight provides an easier way to address vulnerabilities which are relevant and may impact an organization irrespective of the CVSS score or the presence of an exploit for a vulnerability.

By focusing on the likelihood, you are mitigating vulnerabilities that, based on the machine learning model, are predicting an increased risk even though it may not currently be exploited.

Risk classification of assets serves a purpose and should be conducted to further distinguish where to focus most efforts. This task can be time-consuming and may not produce viable results in the first couple of iterations. Farsight enables you to filter out some unlikely vulnerabilities with little to no prior knowledge about the vulnerabilities or assets, getting you on track with your vulnerability program faster. 

Risk Score - Likelihood 

Likelihood is a risk indicator that shows how many times more likely a vulnerability is to be exploited compared to average, where approximately 95% of all vulnerabilities are never exploited. This is displayed in the Likelihood column in the Findings view. The value can go from 1 to 100 where 100 is the equivalent of saying it will be (or has been already) exploited in the wild in the next 12 months. The benefit to the customer is the ability to drive more aggressive risk-based remediation, focusing on even fewer vulnerabilities that reach a particular likelihood.  It is also worth noting that any vulnerability already exploited in the wild will have the risk value of 100 as it has been exploited already.

Since risk score is machine learning driven, based on several factors the risk rating can decrease as well as increase based on activity in the wild.

OptionDescription

Score

Risk indicator that shows how much more likely a vulnerability is to be exploited compared to average. The risk indicator present the likelihood values in an 0-100% (0-1) format.
DeltaIs the difference between the current and the former likelihood values.
Update dateDate when the Delta value changed.
Threat activityLast time date when threat activity has been detected by the watcher community.


Exploits

OptionDescription
SourceSource of the exploit information, for example Farsight, Exploit Database.
CVECommon Vulnerabilities and Exposures (CVE) entry of the vulnerability.
NameName of the exploit associated with the vulnerability.
URLLink to more information of the exploit in the source.

Comments

Comments can be a note to the finding, or the status of the finding such as resolution alternatives and so on. A comment is only applicable to that finding and can not be shared across multiple findings. Comments are threaded, in other words, it is possible to reply to a specific comment to keep this thread contained for one type of discussion which allows easy overview and segmentation of conversations. 

Tip

To access existing comments, click on the comment icon in any row to quickly launch the comments window. 

Manage Findings

Select one or more findings, and choose one of the actions that is displayed on the bottom bar:

The possible user actions are:

  • Click on Add tags to add a tag to the selected finding.

  • Click on Remove tags to remove a tag applied to the selected finding.

    See Tags for more information.
  • Click on Mark as Fixed icon, and confirm by clicking YES, to update the status of that finding as fixed

  • Click on Unmark as Fixed icon, and confirm by clicking YES, to revert the status of that finding to not fixed.

  • Click on Request verification icon to add a comment and send to the technical service team for verification regarding that finding.
  • Click on Change risk icon to change the change the risk information of that finding. 
  • Click on Accept risk icon to accept the risk. You can also select a date and add comment.
  • Click on Unaccept risk icon to revert the accepted status of that finding.
  • Click on Mark as false positive icon to mark a finding as false positive.
  • Click on Unmark false positive icon to unmark a finding as false positive.

Columns

By clicking the Filter bar next to the Main Menu, you expand the column list available to Findings. Select any Column to view in the main window.

Select a specific column to know that information about a finding. All selected columns are displayed in the Findings tab. The available options are described below.

OptionDescription

Accepted

Displays if the risk is accepted or not.

Accepted comment

Comment associated to the Accepted risk. 

Accepted until

The date when the risk is not considered accepted anymore.

Alternative Recreation

Alternative to Recreation step-by-step instructions for how to reproduce the finding.

Asset ID

Asset identification number.

Asset nameThe name given to the Asset.
Attachment IDsAttachment identification number.
BugTraq

Bugtraq identification number of the vulnerability.

CAPEC

List of Common Attack Pattern Enumeration and Classification (CAPEC) identifiers.

Check ID

Outpost24 own vulnerability check identifier.
CommentsIndicates if there are any comments associated to this finding.

Created

The date when the finding was created.

Created by

The user who created the finding, empty if created by the system.

Custom BugTraq

Custom Bugtraq identification number of the vulnerability.

Custom CVE

Custom Common Vulnerabilities and Exposures (CVE) entry of the vulnerability.

Custom CVSS v2 vector

Custom CVSS score represented as a vector string, a compressed textual representation of the values used to derive the score.

Custom CVSS v3 vector

Custom CVSS score represented as a vector string, a compressed textual representation of the values used to derive the score.

Custom CWE

Custom entry identifier of vulnerability in Common Weakness Enumeration (CWE).

Custom description

Custom description of the finding.

Custom name

Custom name of the finding.

Custom solution

Custom suggested action required to remediate this vulnerability.
Customer IDCustomer identification number.
CVECommon Vulnerabilities and Exposures (CVE) entry of the vulnerability.

CVSS v2 base score

The Base score reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assumes the reasonable worst case impact across different deployed environments.
CVSS v2 environmental scoreThe Environmental score represents the characteristics of a vulnerability that are unique to an environment. It adjust the Base and Temporal severities to a specific computing environment.
CVSS v2 scoreA CVSS score is combined score value of the metrics from the underlying components for the Base, Temporal, Environmental.
CVSS v2 severity

Severity level of the vulnerability according to CVSS v2 score:

None - 0.0
Low - 0.1-3.9
Medium - 4.0-6.9
High - 7.0-8.9
Critical - 9.0-10.0

CVSS v2 temporal scoreThe Temporal score reflects the characteristics of a vulnerability that change over time, and adjust the Base severity metrics, such as the availability of exploit code.
CVSS v2 vectorThe CVSS score represented as a vector string, a compressed textual representation of the values used to derive the score.
CVSS v3 base scoreThe Base score reflects the severity of a vulnerability according to its intrinsic characteristics which are constant over time and assumes the reasonable worst case impact across different deployed environments.
CVSS v3 environmental scoreThe Environmental score represents the characteristics of a vulnerability that are unique to an environment. It adjust the Base and Temporal severities to a specific computing environment.
CVSS v3 scoreA CVSS score is combined score value of the metrics from the underlying components for the Base, Temporal, Environmental.
CVSS v3 severity

Severity level of the vulnerability according to CVSS v3 score:

None  -  0.0
Low  -  0.1-3.9
Medium  -  4.0-6.9
High  -  7.0-8.9
Critical  -  9.0-10.0

CVSS v3 temporal scoreThe Temporal score reflects the characteristics of a vulnerability that change over time, and adjust the Base severity metrics, such as the availability of exploit code.
CVSS v3 vector

The CVSS score represented as a vector string, a compressed textual representation of the values used to derive the score.

CWEEntry identifier of vulnerability in Common Weakness Enumeration (CWE).
DescriptionDescription of the finding.

Exploit Available

Determines if there is a publicly available exploit present for this vulnerability.

False positiveShows if the vulnerability has been marked as a false positive.
False positive commentComment associated to the False positive. 

First Scan ID

The identifier of the first scan that produced this finding.
First seenWhen the vulnerability was first discovered on the specific asset.

Fixed

Shows if the vulnerability has been fixed.

IDIdentification number of the vulnerability. Should only be available for super-user/main user.
ImpactDescribes what impact the finding could have on a system.

Is accepted

Indicates if the finding has been accepted or not.

Last scan ID

The identifier of the last scan that produced this finding.

Last seen

When the vulnerability was last seen.

Match IDs

A list of match identifiers associated with this finding.

Name

Name of the vulnerability.

OWASP 2004

Rank in the list of 10 most critical web application security risks of 2004.

OWASP 2007Rank in the list of 10 most critical web application security risks of 2007.
OWASP 2010Rank in the list of 10 most critical web application security risks of 2010.
OWASP 2013Rank in the list of 10 most critical web application security risks of 2013.
OWASP 2017Rank in the list of 10 most critical web application security risks of 2017.
OWASP 2021Rank in the list of 10 most critical web application security risks of 2021.

Potential

Flags if this finding has been marked as a potential false positive by the system.

Quality assured

Indicates when the finding was quality assured.

Recreation

Step-by-step instructions for how to reproduce the finding.
ReviewedTimestamp from when the finding was reviewed.
SANS 25Rank in SANS Top 25 list of most dangerous software errors.

Solution

Suggested action required to remediate this vulnerability.

Source

Displays the sources for a finding depending on the subscription.

Can be marked as:

  • - Finding originates from Vulnerability Management.
  • - Finding originates from SWAT/Snapshot.
  • - Finding originates from SWAT/Assure.
  • - Finding originates from SWAT.
  • - Finding originates from Application Security Testing.
  • - Finding originates from Cloud Security Assessment.
  • - Finding originates from Application Security Testing.

Status

Indicates the different statuses for a finding. Can be marked

  • PRESENT - (Default) Shows that a Finding is present.
  • PENDING VERIFICATION - Shows if there is any pending verification request.
  • FIXED - Indicates that a finding has been marked as fixed.
  • FALSE POSITIVE - Indicates that a finding has been marked as a false positive.
  • ACCEPTED - Indicates that a finding has been marked as an accepted risk.
  • IRREPRODUCIBLE - Indicates that a finding can currently not be reproduced by the AppSec team, only applicable to SWAT/Snapshot/Assure/Verify findings.
TagsLists all the tags associated to the finding.
Threat activityLast time date when threat activity has been detected by the watcher community.
UpdateTime since updated.
Update byIdentify who made the update.

References


  1. https://www.first.org/cvss/
  2. https://cwe.mitre.org/about/index.htm
  3. https://capec.mitre.org/index.html
  4. https://owasp.org/www-project-top-ten/

Related Articles




Copyright

© 2023 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.