Vulnerabilities

This guide aims to explain the different parts of the Vulnerabilities page as well as special features like the False-Positive option.

Prerequisites

– You should have access to the platform as an Org Admin user
– You should have at least one Application and/or Environment in the Organization
– A Scanner integration is already configured

1. Introduction

The Vulnerability page is central to the AppSec Phoenix platform. It provides you with a comprehensive list of vulnerability information across your organisation. It also lets you add comments and tags to each vulnerability, create incident tickets via Jira integration, and mark any vulnerability as false positive.

Aside from the main Vulnerability page that lists down all vulnerabilities across all Vulnerability Types (All), the navigation menu also has four sub-pages representing each Vulnerability Type, namely:

  • Cloud
  • FOSS (Free and Open Source Software) 
  • Web
  • SAST (Static Application Security Testing)

2. Parts of the Vulnerability Page

The Vulnerability Page consists of the following:

a. Vulnerability Search and Filter

The list is searchable by CVE (Common Vulnerabilities and Exposures) or Component Name, and filtered by Application, Component, Sub-Component, and Vulnerability Type using the dropdown menu.

Vulnerabilities List – Search and Filter Options

b. Tally Board

A tally board indicates the number of Vulnerabilities per risk level.

Vulnerabilities List – Tally Board

c. Vulnerabilities List and Columns

Vulnerabilities List

The Vulnerabilities list holds valuable information about the can be sorted in ascending or descending order by Vulnerability or VULN Severity (first column) or Days Open (fifth column) by clicking their respective column titles.

By default, ten vulnerabilities are displayed on the list per page. But it can be set to 5, 25, or 50 per page.

The Vulnerabilities list has ten columns, namely: 

  • VULN Severity – shows the severity score of the Vulnerability. It is colour-coded according to the severity level of the vulnerability. This column can be sorted in ascending or descending order.
  • Application Name – displays the name of the Application where the Component with this vulnerability belongs. It can be expanded by clicking the arrowhead icon beside it to reveal more information about the vulnerability such as:
    • Component name
    • Description
    • CVSS Score
    • Tags
    • Date Added
    • Target Date
    • Average Time to Fix, and
    • SLA Target

Clicking “Show details” will reveal specific information about the vulnerability such as the Scanner Type and Nearest Fixed Version.

  • Vulnerability Type – indicates if the type of vulnerability is FOSS, Cloud, Web, or SAST
  • Status – indicates the current status of the vulnerability if it is open or closed.
  • Days Open – display the number of days the vulnerability is open. This column is colour-coded according to the severity level of the vulnerability and number of days. It can also be sorted in ascending or descending order.
  • False Positive – lets you mark a vulnerability as a false-positive, which means the vulnerability reported by AppSec Phoenix is not an actual vulnerability or risk and can be removed from the list and calculation of overall severity or risk of the Component and Application.

For more details about the False Positive feature, please click here.

  • Ticket Status – indicates the status of the ticket or Jira Issue associated with the vulnerability. The status automatically syncs and updates itself depending on the ticket or Issue status on Jira. Possible ticket statuses can be: In Progress, Backlog, or Done. Only vulnerabilities with existing tickets or Issues in Jira will have a ticket status.
  • Push to Jira – lets you create a Jira Issue or ticket if you have Jira integrated into your AppSec Phoenix instance. The blue diamond Jira icon appears if it is possible to create an Issue on Jira about the vulnerability. If an Issue already exists, the Jira Issue Key or reference number shows up which can be clicked to open the actual Issue on Jira.
  • Comments – an untitled column that lets you save important notes or comments for each vulnerability in the list.
  • Details – an untitled column represented by an ellipsis for each vulnerability. When clicked, it takes you to the same page as the “Show details” in the Application Name column.

d. Overall Risk Overview

The Overall Risk Overview section consists of a line chart showing you the risk progression per risk level over the last 30 days.

Overall Risk Overview Graph

Through this colour-coded chart, you are able to spot any trends in terms of vulnerabilities that are gaining traction. For example, a gradual or sudden spike in the number of open vulnerabilities, especially critical and high level risks, would definitely get your attention and compel you to perform further investigation to prevent the situation from getting worse.

When you move your mouse over the chart, you will see the vulnerability count per risk level per date.

3. Vulnerability Details Page

a. Introduction

The Vulnerability Details page provides specific details about the risk or vulnerability identified by AppSec Phoenix. This page gives all the information you need to determine your next troubleshooting steps towards resolving the issue.

b. Parts of the Vulnerability Details Page

There are several parts of the Vulnerability Details Page:

I. Vulnerability – includes the following information:

  • Description – gives a short explanation of the vulnerability. It can include the error message and the file(s) involved.
  • CVSS Score – CVSS refers to the Common Vulnerability Scoring System which is used to assess the severity of the vulnerability.
CVSS ScoreQualitative Rating
0.1 to 3.9Low
4.0 to 6.9Medium
7.0 to 8.9High
9.0 to 10.0Critical
  • CWE – CWE refers to Common Weakness Enumeration of the vulnerability which is an alphanumeric identifier used to classify different hardware of software weakness types. You may refer to this external page for a list of weaknesses, or click here to use the weakness search tool.
  • Scanner Type – indicates the type of scanner used to identify the vulnerability/
  • Specific Details – provides the full details of the vulnerability including but not limited to:
    • Category
    • Fisma
    • Kingdom
    • Line Number
    • Source
    • Nearest Fixed Version

II. Applications – includes information about the Applications affected by the vulnerability, such as:

  • VULN Severity – colour-coded indicator of the vulnerability’s severity score.
  • Application Name – name of Application associated with the vulnerability.
  • Criticality – risk level of the vulnerability.

c. Accessing the Vulnerability Details Page

From the Vulnerabilities List, there are two ways to access the Vulnerabilities Details page:

a. Expand the Application Name column and click “Show details”.

b. Hover over the vulnerability you want to view then click the rightmost column (ellipsis) and click “Details”.

4. False-Positive Option

a. Introduction

The False-Positive feature lets you set a vulnerability reported by AppSec Phoenix as a false alarm and indicate that it as not an actual vulnerability or risk. Doing so means it can be removed from the list and exclude in the calculation of overall severity or risk of the Component and Application.

b. How It Works

In the Vulnerabilities List, look for the vulnerability you want to mark as false-positive and check the box under the False Positive column.

Once the check box is checked, a warning will appear similar to the one below:

Clicking the “Save” button will permanently set the vulnerability as a false positive.

Updated on September 13, 2021