Finding vulnerabilities in web applications is not difficult, but following up on the findings and making sure that they are fixed is. In fact this is one of the biggest challenges organizations face nowadays; absorbing all the information and ensuring that all of the vulnerabilities are addressed. It is quite a task because it is normal for a web vulnerability scanner to find a handful of vulnerabilities in a single scale.
Imagine how much more difficult it is if you scale up the operations; scanning 100s and 1000s of websites, dealing with a number of developers teams, and possible with hundreds of thousands of web application vulnerabilities. How can you keep track of who fixed which vulnerabilities, which ones are not fixed yet etc?
We have the answer for you; in Netsparker we have built a workflow vulnerability tracking system that will allow you and your team to keep track of all the identified vulnerabilities and ensure they are fixed. Here is how it all works.
Once a web vulnerability scan is finished, all the identified vulnerabilities are listed as Issues in the To Do section of the website’s technical contact (a website technical contact can be configured from the website’s settings). For example in the screenshot below, the scanner identified assigned 29 issues to the user.
During the security scan, Netsparker Cloud identified both vulnerabilities (such as SQL Injection and Cross-site Scripting) and also other issues that could sometimes pose a security risk (such as web server version disclosure and internal path disclosure). Such issues have an Information severity level and their status is set to Accepted Risk. The issues with Accepted Risk status are placed in the Addressed Issues section, as shown in the below screenshot.
A Netsparker Cloud issue can have four different statuses, which are:
You can change the status of an issue from the Issue page or from the Technical Report, which is shown in the screenshot below.
As a website’s technical contact, all the vulnerabilities and security issues identified during a web security scan are assigned to you. At this stage you can assign an issue to another team member. To do so;
Note: You can also assign the issue to another team member from the Technical Report in the scan results.
Once you fix a vulnerability change the status of the issue pertaining to that vulnerability to Fixed (Unconfirmed) so the Netsparker Cloud scanner automatically checks the fix. If the fix works as intended the issue will be marked as Fixed. If not the issue will be assigned back to the Assignee so he or she can fix the vulnerability.
In the issue details page you can see details such as:
Every Netsparker Cloud user has the Issues node that they can access from the dashboard. From this node you can see the status and detailed information about every issue you dealt with. The sub-nodes are listed below:
To Do: in this section you will find all the issues that have been assigned to you and you need to take action on, such as fixing them, assigning them to someone else or change their status.
Waiting for Testing: in this section you will find all the issues that are marked as fixed and are waiting to be tested automatically by Netsparker Cloud.
Addressed Issues: in this section you will find all the issues that have been marked as Fixed, Accepted Risk or False Positive. Therefore all issues listed in this section have been addressed..
All Issues: in this section you will find all the issues you ever dealt with.
The Issues vulnerability tracking and management system makes Netsparker Cloud a one-stop web application security solution. Netsparker Cloud goes beyond the remit of a normal web security scanner; it enables you to assign issues and track their progress via a simple interface. It also provides a full record of when and who fixed the security vulnerabilities. This feature alone is enough to put Netsparker Cloud in a new, different class, of web application security scanning solutions.