Finding vulnerabilities in web applications is not difficult, but following up on the findings and making sure that they are fixed is. In fact this is one of the biggest challenges organizations face nowadays; absorbing all the information and ensuring that all of the vulnerabilities are addressed. It is quite a task because it is normal for a web vulnerability scanner to find a handful of vulnerabilities in a single scale.
Imagine how much more difficult it is if you scale up the operations; scanning 100s and 1000s of websites, dealing with a number of developers teams, and possible with hundreds of thousands of web application vulnerabilities. How can you keep track of who fixed which vulnerabilities, which ones are not fixed yet etc?
We have the answer for you; in Netsparker we have built a workflow vulnerability tracking system that will allow you and your team to keep track of all the identified vulnerabilities and ensure they are fixed. Here is how it all works.
The Scan Results and Vulnerabilities
Once a web vulnerability scan is finished, all the identified vulnerabilities are listed as Issues in the To Do section of the website's technical contact (a website technical contact can be configured from the website's settings). For example in the screenshot below, the scanner identified assigned 29 issues to the user.
Exceptions for Issues with Information Severity Level
During the security scan, Netsparker Cloud identified both vulnerabilities (such as SQL Injection and Cross-site Scripting) and also other issues that could sometimes pose a security risk (such as web server version disclosure and internal path disclosure). Such issues have an Information severity level and their status is set to Accepted Risk. The issues with Accepted Risk status are placed in the Addressed Issues section, as shown in the below screenshot.
Changing The State of an Issue
A Netsparker Cloud issue can have four different statuses, which are:
- Present: this means that the vulnerability was detected and is present in the web application
- Accepted Risk: this means that you know about the issue but accept the risks of not fixing it. Issues with Accepted Risk status will not be included in the dashboard statistics and in the reports, but will be included in the Full Scan Report and will be shown in the online scan report of a website.
- False Positive: when you mark a vulnerability as a false positive it will not be included in any reports and the scanner won't take any action on it.
- Fixed (unconfirmed): when you assigned this status to a vulnerability, typically a developer would do so after fixing the vulnerability, the scanner will automatically scan and check the fix. If the fix is confirmed, the status will be changed to Fixed and if not it will be re-assigned to the developer and its status will be changed to Present.
You can change the status of an issue from the Issue page or from the Technical Report, which is shown in the screenshot below.
Assigning Issues to Other Team Members
As a website's technical contact, all the vulnerabilities and security issues identified during a web security scan are assigned to you. At this stage you can assign an issue to another team member. To do so;
- Click on a issue from the To Do
- Select the team member to whom you want to assign it to from the Assignee drop down menu.
- Add a Note should you need and click Save.
Note: You can also assign the issue to another team member from the Technical Report in the scan results.
Fixing a Vulnerability and Changing the Status of an Issue
Once you fix a vulnerability change the status of the issue pertaining to that vulnerability to Fixed (Unconfirmed) so the Netsparker Cloud scanner automatically checks the fix. If the fix works as intended the issue will be marked as Fixed. If not the issue will be assigned back to the Assignee so he or she can fix the vulnerability.
Reviewing the Details and History of an Issue
In the issue details page you can see details such as:
- when was the issue detected the first time,
- on which website,
- its status and to whom it is assigned,
- all the technical details of the vulnerability it is reporting,
- its history (to whom it was assigned etc)
Managing the Netsparker Cloud Issues
Every Netsparker Cloud user has the Issues node that they can access from the dashboard. From this node you can see the status and detailed information about every issue you dealt with. The sub-nodes are listed below:
To Do: in this section you will find all the issues that have been assigned to you and you need to take action on, such as fixing them, assigning them to someone else or change their status.
Waiting for Testing: in this section you will find all the issues that are marked as fixed and are waiting to be tested automatically by Netsparker Cloud.
Addressed Issues: in this section you will find all the issues that have been marked as Fixed, Accepted Risk or False Positive. Therefore all issues listed in this section have been addressed..
All Issues: in this section you will find all the issues you ever dealt with.
Ensuring All Vulnerabilities Are Fixed with Netsparker Cloud
The Issues vulnerability tracking and management system makes Netsparker Cloud a one-stop web application security solution. Netsparker Cloud goes beyond the remit of a normal web security scanner; it enables you to assign issues and track their progress via a simple interface. It also provides a full record of when and who fixed the security vulnerabilities. This feature alone is enough to put Netsparker Cloud in a new, different class, of web application security scanning solutions.