Purpose

This document provides users with an overview of Findings. 

Introduction

Findings are the potential risks and recommended reconfiguration suggestions found during automatic and manual assessments of the target asset. These vary from security best practices which lower the attack surface of the target to exploitable vulnerabilities that were verified and confirmed as being present and relevant for the target.

Findings include their classification, risk score and information describing what it is, why it was found and how an attacker might be able to exploit the vulnerability as well as provide clear solutions to remediate the risk.

Note

The Findings view will be visible without a Appsec subscription, but the view will be empty and you will not be able populate the view.

Requirements

It is assumed that the reader has basic access to the OUTSCAN/HIAB account with Appsec subscription. 

Findings 

The Findings view shows the vulnerabilities identified during the scans.



Click on a finding to view its details on the right side of the window.

DETAILS

Shows the description of the selected finding along with the solution. 

EXPLOITS

Shows if there are any known public exploits.

COMMENTS

Comments can be a note to the finding, or the status of the finding such as resolution alternatives and so on. A comment is only applicable to that finding and can not be shared across multiple findings. Comments are threaded, in other words, it is possible to reply to a specific comment to keep this thread contained for one type of discussion which allows easy overview and segmentation of conversations. 

Tip

To access existing comments, click on the comment icon in any row to quickly launch the comments window. 

Manage Findings

Select one or more findings, and choose one of the actions that is displayed on the bottom bar:

The possible user actions are:

  • Click on Add tags to add a tag to the selected finding.
  • Click on Remove tags to remove a tag applied to the selected finding.

    Note

    See Tags for more information.
  • Click on Mark as Fixed icon, and confirm by clicking YES, to update the status of that finding as fixed
  • Click on Unmark as Fixed icon, and confirm by clicking YES, to revert the status of that finding to not fixed.

  • Click on Request verification icon to add a comment and send to the technical service team for verification regarding that finding.
  • Click on Change risk icon to change the change the risk information of that finding. 
  • Click on Accept risk icon to accept the risk. You can also select a date and add comment.
  • Click on Unaccept risk icon to revert the accepted status of that finding.
  • Click on Mark as false positive icon to mark a finding as false positive.
  • Click on Unmark false positive icon to unmark a finding as false positive.

Columns

By clicking the Filter bar next to the Main Menu, you expand the column list available to Findings. Select any Column to view in the main window.

Select a specific column to know that information about a finding. All selected columns are displayed in the Findings tab. The available options are described below.

OptionDescription

Accepted

Displays if the risk is accepted or not.

Accepted comment

Comment associated to the Accepted risk. 

Accepted until

The date when the risk is not considered accepted anymore.

Asset ID

Asset identification number

Attachment IDsAttachment identification number
BugTraq

Bugtraq identification number of the vulnerability.

CommentsIndicates if there are any comments associated to this finding
Customer IDCustomer identification number
CVECommon Vulnerabilities and Exposures (CVE) entry of the vulnerability.
CVSS v2 severity

Severity level of the vulnerability according to CVSS v2 score:

None - 0.0
Low - 0.1-3.9
Medium - 4.0-6.9
High - 7.0-8.9
Critical - 9.0-10.0

CVSS v2 vectorCommon Vulnerability Scoring System (CVSS) score of the vulnerability.
CVSS v3 severity

Severity level of the vulnerability according to CVSS v3 score:

None  -  0.0
Low  -  0.1-3.9
Medium  -  4.0-6.9
High  -  7.0-8.9
Critical  -  9.0-10.0

CVSS v3 vectorScore of the vulnerability according to CVSS v3.0.
CWEEntry identifier of vulnerability in Common Weakness Enumeration (CWE).
DescriptionDescription of the finding.

Exploit Available

Determines if there is a publicly available exploit present for this vulnerability.

False positiveShows if the vulnerability has been marked as a false positive.
False positive commentComment associated to the False positive. 
Farsight riskThis is a normalized representation of Likelihood where the range 1-38.5 is mapped to the range 0-1 (0 to 100%).
The meaning is the same for the two.
Farsight risk deltaThe change in Farsight risk delta similar to Likelihood delta but with the new range.
Farsight risk update dateDate when the Farsight Risk value was updated.
First seenWhen the vulnerability was first discovered on the specific application.

Fixed

Shows if the vulnerability has been fixed.

IDIdentification number of the vulnerability. Should only be available for super-user/main user.
ImpactDescribes what impact the finding could have on a system.
LikelihoodThe Risk score shows the likelihood of a vulnerability being weaponized and exploited in the wild over the next 12 months.
Likelihood deltaChange in the likelihood of a vulnerability being exploited.

Name

Name of the vulnerability.

OWASP 2004

Rank in the list of 10 most critical web application security risks of 2004.

OWASP 2007Rank in the list of 10 most critical web application security risks of 2007.

OWASP 2010Rank in the list of 10 most critical web application security risks of 2010.

OWASP 2013Rank in the list of 10 most critical web application security risks of 2013.
OWASP 2017Rank in the list of 10 most critical web application security risks of 2017.

Potential

Flags if this finding has been marked as a potential false positive by the system.

ReviewedTimestamp from when the finding was reviewed.
SANS 25Rank in SANS Top 25 list of most dangerous software errors.
Source

Displays the sources for a finding depending on the subscription.

Can be marked as:

Netsec

Snapshot

Assure

Swat

Scale

Cloudsec

Scout

Status

Indicates the different statuses for a finding. Can be marked

  • Present - (Default) Shows that a Finding is present after scanning.
  • Pending Verification - Shows if there is any pending verification request.
  • Fixed - Shows if the vulnerability has been fixed.
  • False Positive - The scanner is finding a risk that it is not supposed to pick up on.
  • Accepted - Displays if the risk is accepted or not.

and so on.

TagsLists all the tags associated to the finding.
Threat activityLast time date when threat activity has been detected by the watcher community.
UpdateTime since updated.
Update byIdentify who made the update.
WASCThreat classification according to Web Application Security Consortium.

Farsight

The Likelihood feature in Outpost24 Farsight provides an easier way to address vulnerabilities which are relevant and may impact an organization irrespective of the CVSS score or the presence of an exploit for a vulnerability.

By focusing on the likelihood, you are mitigating vulnerabilities that, based on the machine learning model, are predicting an increased risk even though it may not currently be exploited.

Note

Risk classification of assets serves a purpose and should be conducted to further distinguish where to focus most efforts. This task can be time-consuming and may not produce viable results in the first couple of iterations. Farsight enables you to filter out some unlikely vulnerabilities with little to no prior knowledge about the vulnerabilities or assets, getting you on track with your vulnerability program faster. 

Farsight

Risk Score - Likelihood 

Likelihood is a risk indicator that shows how many times more likely a vulnerability is to be exploited compared to average, where approximately 95% of all vulnerabilities are never exploited. This is displayed in the Likelihood column in the Findings view. The value can go from 1 to 100 where 100 is the equivalent of saying it will be (or has been already) exploited in the wild in the next 12 months. The benefit to the customer is the ability to drive more aggressive risk-based remediation, focusing on even fewer vulnerabilities that reach a particular likelihood.  It is also worth noting that any vulnerability already exploited in the wild will have the risk value of 100 as it has been exploited already.

Note

Since risk score is machine learning driven, based on several factors the risk rating can decrease as well as increase based on activity in the wild.

Farsight Requirements

To use Farsight you first need to enable the function in your subscription. Contact support for more information on how you can enable the Farsight function.

For more information on Farsight, see How to Use Farsight in Appsec guide.




Copyright

© 2022 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.