⇤ How is the Diligence Risk Category Calculated?
A variety of security assessments are performed on web applications to determine if the best practices are being followed.
This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into security ratings.
Concept | Behavior |
---|---|
A default risk vector grade is assigned. |
Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data. This is set in the center of the grading scale for computing into security ratings. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. |
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 60 Days |
Percentage (out of 70.5% in Diligence): This risk vector does not currently affect security ratings. |
Criteria
Only domains that provide an HTTP or HTTPS service are included in these assessments.
Methodology
Domains that are included are loaded using a standard web browser connection. Bitsight then captures the entire response of the page load, including redirects and all dynamic page content, and performs a set of assessments on that response. In case of redirects, all assessments are attributed to the last host in the redirect chain (except for HTTPS to HTTP redirects which, due to their particularity, are attributed to the domain that does the downgrade).
Bitsight does not send out specific requests to trigger or identify vulnerabilities that may be present on the web application. We also do not crawl the loaded page for additional responses.
Assessment Categories
Web Application Security findings are subjected to different assessments to determine the presence and severity of vulnerabilities. The assessments are defined to target a specific Common Weakness Enumeration (CWE) or a category within the Open Web Application Security Project (OWASP) Top 10.
The assessments can be generalized as follows.
Category | Description |
---|---|
Cross-Site Scripting | Validation of security measures such as SRI and CSP to ensure no malicious remote resource is included on a web application. |
Components with Known Vulnerabilities | Using a library with missing security patches can make your web application exceptionally easy to abuse, making it crucial to ensure that any available security updates are to be applied immediately. |
Broken Authentication and Access Control | Access control policies ensure that users cannot act outside their intended permissions. |
Sensitive Data Exposure | Ensuring application design includes controls to reduce the exposure of critical and sensitive information. |
Security Misconfiguration | Assessment of web application implementations regarding security hardening or unnecessary features and privileges. |
Finding Grading
Each Web Application Security assessment has its own grading mechanism and impacts the risk vector grade differently. The following table summarizes all possible grades for all WAS assessments.
Cross-Site Scripting
Assessment | Possible Grades | |||
---|---|---|---|---|
GOOD | FAIR | WARN | BAD | |
Cross domain subresrouces integrity check | A relevant number of SRI checks are implemented. | Very few (or zero) SRI checks are implemented. | ||
Cross domain subresource integrity failure | This website contains an invalid digest for at least one resource being loaded outside of the web application's origin. | |||
CSP Violations | One unique CSP violation found. | More than one unique CSP violation found. | ||
CSP Configurations | The CSP policy has no issues. | The CSP policy has a small number/low severity of issues. | The CSP policy has a medium number/medium severity of issues. | There is no CSP policy or a high number/high severity of issues. |
Components with Known Vulnerabilities
Assessment | Possible Grades | |||
---|---|---|---|---|
GOOD | FAIR | WARN | BAD | |
Javascript libraries with known vulnerabilities. | The website has no known JavaScript vulnerabilities. | A maximum of two moderate severity vulnerabilities or multiple lower severity vulnerabilities were identified with a sum of individual weights that is greater than zero and less than three. | Between three and four moderate severity vulnerabilities or multiple lower severity vulnerabilities were identified with a sum of individual weights that is greater than or equal to three and less than five. | At least one material severity vulnerability or multiple lower severity vulnerabilities were identified with a sum of individual weights that is equal to or greater than five. |
Broken Authentication and Access Control
Assessment | Possible Grades | |||
---|---|---|---|---|
GOOD | FAIR | WARN | BAD | |
CMS administration portal exposed. | The CMS administration portal is exposed to the internet. | |||
Cross-site request forgery (CSRF) | Findings of this type are informational only; they are graded NEUTRAL. | |||
Authentication on insecure channel | A password form is requesting credentials on a site loaded with the "Obsolete connections settings" TLS error. |
This grade is issued if:
|
Sensitive Data Exposure
Assessment | Possible Grades | |||
---|---|---|---|---|
GOOD | FAIR | WARN | BAD | |
Secure cookie set on insecure channel | Findings of this type are informational only; they are graded NEUTRAL. | |||
Mixed content | Low number/low severity of mixed content events. | Medium number/medium severity of mixed content events. | High number/high severity of mixed content events. | |
Session Token in URL | Findings of this type are informational only; they are graded NEUTRAL. | |||
HSTS preload directive present | The Strict-Transport-Security header is set with the preload directive. | |||
Cookie SameSite attribute | Findings of this type are informational only; they are graded NEUTRAL. | |||
Cookie SameSite blocked | No Issues with blocked cookies exist. |
At least one of the following issues exists:
|
||
Unsafe referrer policy | The website contains the unsafe-url Referrer Policy. |
Security Misconfiguration
Assessment | Possible Grades | |||
---|---|---|---|---|
GOOD | FAIR | WARN | BAD | |
Internal Server Error | We issue a single WARN finding for every website with at least one internal server error. | |||
Reverse tabnabbing | Findings of this type are informational only; they are graded NEUTRAL. | |||
Directory listing exposure | Findings of this type are informational only; they are graded NEUTRAL. | |||
CORS violation | One unique CORS violation found. | More than one unique CORS violation found. | ||
Overly permissive CORS whitelist | Website contains permissive CORS policy. | |||
HTTPS to HTTP redirect | All findings of this type are graded BAD. | |||
TLS errors on page resource fetch (deprecated)† | No errors or only informational TLS errors were found | At least one low-severity TLS error was found. | At least one high-severity TLS error was found. |
† This assessment was deprecated on December 5, 2023. Old findings can still be viewed, but new findings are not recorded.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- March 12, 2024: TLS Errors on Page Resource Fetch assessment deprecated.
- February 26, 2024: Added Finding Grading section.
Feedback
0 comments
Please sign in to leave a comment.