This will be impacted by the 2025 Ratings Algorithm Update (RAU), which is planned to be released in July 10, 2025. See details.
The Web Application Security risk vector is part of the Diligence risk category. It performs multiple assessments related to web application security. It provides information about components with known vulnerabilities, broken authentication and access control, sensitive data exposure, cross-site scripting prevention mechanisms, and security misconfigurations.
Bitsight Academy
Risks
Web applications often handle sensitive data such as personal information, financial data, and confidential business information. If this data is not properly protected, it can be accessed and exploited by unauthorized parties, leading to serious consequences for both the individuals whose data has been compromised and the organization responsible for protecting it.
In addition to the risks to sensitive data, web application security is also important for maintaining the integrity and availability of the application itself. Security vulnerabilities can be exploited to gain unauthorized access to the application, allowing attackers to make changes or disrupt the normal functioning of the application. This can result in lost productivity, damage to the organization's reputation, and financial losses. Overall, web application security is essential for protecting sensitive data, maintaining the integrity and availability of the application, and complying with relevant laws and regulations.
Grading
See how the Web Application Security risk vector is graded.
This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into security ratings.
Insufficient Data
A default risk vector grade is assigned if there is insufficient or no data.
Behavior: Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings.
Lifetime
Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.
Duration: 60 Days
Weight
The Web Application Security risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.
Weight: This risk vector does not currently affect security ratings.
Remediation
Our analysis is based on the analysis of application behavior when loaded into a standard browser. Remediation is application-specific because each implementation varies between software development teams. Remediation will need to be assessed by the organization based on the issues detected; in some cases, we are able to provide remediation information in the explanation.
The information from detected issues can be used to determine where to apply software updates, remove software, or investigate brand abuse.
Pass/Fail Indicators
What do failed and passed evidence mean?
All assessments provide a list of the evidence that was collected when performing it on a specific web application. Both negative indicators and correct implementations of the security controls are indicated as Pass or Fail.
- Pass
- Good security controls are implemented.
- Fail
- The security control implementation is invalid or non-existent.
Not all assessments provide a mix of Failed and Pass evidence. Some may only provide Failed evidence (e.g., Content Security Policy Violations or Cookie SameSite Blocked) since we can only see negative results. Others may only provide Pass evidence (e.g., HSTS Preload Directive Present) since we only consider this control to impact a web application's security positively. However, the meaning is always the same.
Resources
Recommendations
Review Web Application Security findings.
- Identify web applications that are not adhering to application security best practices.
- Verify questionnaire data from vendors. For example, to verify claims that their organization is free of a particular operating system.
- Understand which, if any, applications at an insured present a risk for known vulnerabilities and other threats.
- Verify quality and other contractual agreements with clients or vendors; for example, verify that a client created secure software from a security standpoint and adhered to a policy of keeping end-user operating systems up-to-date.
Rescan Base Duration
The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.
Automated Scan: 30 Days
User-Requested Rescan: 3 days. See timeline for details.
Finding Behavior
The behavior of findings based on remediation and rescan statuses:
Remediated
- The remediated finding will stop impacting the grade. If a user-requested rescan is initiated, the rescan status is either
Remediated
orPartially Remediated
.- A new finding impacting the grade is created. If this is a result of a user-requested rescan, the rescan status is
Replacement Finding
.
Not Remediated
If a user-requested rescan is initiated and the issue persists, the rescan status is
Not Remediated
and the finding continues to impact the grade until it completes its lifetime.
- June 25, 2025: Automated rescan duration is 30 days; User-requested rescan base duration is 3 days.
- March 28, 2025: Incorporated pass/fail information into the remediation.
- March 18, 2025: Academy deep dive.
Feedback
0 comments
Please sign in to leave a comment.