- August 16, 2023: New Grading & Finding Behavior sections.
- July 21, 2023: Published.
The Web Application Security risk vector performs multiple assessments related to web application security. It provides information about components with known vulnerabilities, broken authentication and access control, sensitive data exposure, cross-site scripting prevention mechanisms, and security misconfigurations.
Web applications often handle sensitive data such as personal information, financial data, and confidential business information. If this data is not properly protected, it can be accessed and exploited by unauthorized parties, leading to serious consequences for both the individuals whose data has been compromised and the organization responsible for protecting it.
In addition to the risks to sensitive data, web application security is also important for maintaining the integrity and availability of the application itself. Security vulnerabilities can be exploited to gain unauthorized access to the application, allowing attackers to make changes or disrupt the normal functioning of the application. This can result in lost productivity, damage to the organization's reputation, and financial losses. Overall, web application security is essential for protecting sensitive data, maintaining the integrity and availability of the application, and complying with relevant laws and regulations.
This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into security ratings.
Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings.
If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.
(Out of 70.5% in Diligence)
Our analysis is based on the analysis of application behavior when loaded into a standard browser. Remediation is application-specific because each implementation varies between software development teams. Remediation will need to be assessed by the organization based on the issues detected; in some cases, we are able to provide remediation information in the explanation.
The information from detected issues can be used to determine where to apply software updates, remove software, or investigate brand abuse.
- Identify web applications that are not adhering to application security best practices.
- Verify questionnaire data from vendors. For example, to verify claims that their organization is free of a particular operating system.
- Understand which, if any, applications at an insured present a risk for known vulnerabilities and other threats.
- Verify quality and other contractual agreements with clients or vendors; for example, verify that a client created secure software from a security standpoint and adhered to a policy of keeping end-user operating systems up-to-date.
Automated: 60 Days
User-Requested: 2 Days
New findings immediately impact the grade. Remediated findings: