Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Web Application Security Risk Vector

Jessica

This will be impacted by the 2025 Ratings Algorithm Update (RAU), which is planned to be released in July 2025. See details.

The Web Application Security risk vector is part of the Diligence risk category. It performs multiple assessments related to web application security. It provides information about components with known vulnerabilities, broken authentication and access control, sensitive data exposure, cross-site scripting prevention mechanisms, and security misconfigurations.

Bitsight Academy

Risk Vector Deep Dive: Web Application Security

See data collection methods.

Risks

Web applications often handle sensitive data such as personal information, financial data, and confidential business information. If this data is not properly protected, it can be accessed and exploited by unauthorized parties, leading to serious consequences for both the individuals whose data has been compromised and the organization responsible for protecting it.

In addition to the risks to sensitive data, web application security is also important for maintaining the integrity and availability of the application itself. Security vulnerabilities can be exploited to gain unauthorized access to the application, allowing attackers to make changes or disrupt the normal functioning of the application. This can result in lost productivity, damage to the organization's reputation, and financial losses. Overall, web application security is essential for protecting sensitive data, maintaining the integrity and availability of the application, and complying with relevant laws and regulations.

Grading

See how the Web Application Security risk vector is graded.

This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into security ratings.

Concept Behavior

Lifetime

Duration: 60 Days

Insufficient Data

A default risk vector grade is assigned.

Default: grade-na.png

Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings.

If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.

Weight

Percentage (out of 70.5% in Diligence): This risk vector does not currently affect security ratings.

Remediation

Our analysis is based on the analysis of application behavior when loaded into a standard browser. Remediation is application-specific because each implementation varies between software development teams. Remediation will need to be assessed by the organization based on the issues detected; in some cases, we are able to provide remediation information in the explanation.

The information from detected issues can be used to determine where to apply software updates, remove software, or investigate brand abuse.

Resources

Recommendations

Review Web Application Security findings.

  • Identify web applications that are not adhering to application security best practices.
  • Verify questionnaire data from vendors. For example, to verify claims that their organization is free of a particular operating system.
  • Understand which, if any, applications at an insured present a risk for known vulnerabilities and other threats.
  • Verify quality and other contractual agreements with clients or vendors; for example, verify that a client created secure software from a security standpoint and adhered to a policy of keeping end-user operating systems up-to-date.

Finding Behavior

Concept Behavior

Rescan

The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan Duration: 60 Days

User-Requested Rescan Duration: 2 Days

Remediated
  • New findings immediately impact the grade.
  • Remediated findings:
    • The newest finding replaces the past finding and impacts the grade for 60 days as it completes its lifetime.
    • The previous finding is replaced and stops impacting the grade.
  • March 18, 2025: Academy deep dive.
  • February 5, 2025: 2025 RAU notice.
  • December 6, 2024: Linked to finding messages.

Related articles

Feedback

0 comments

Please sign in to leave a comment.