The Web Application Security risk vector performs a variety of security assessments on web applications to determine if the best practices are being followed. Only domains that provide an HTTP or HTTPS service are included in these assessments.
Domains that are included are loaded using a standard web browser connection. We then capture the entire response of the page load, including redirects and all dynamic page content, and perform a set of assessments on that response. In case of redirects, all assessments are attributed to the last host in the redirect chain (except for HTTPS to HTTP redirects which, due to their particularity, are attributed to the domain that does the downgrade).
We do not send out specific requests to trigger or identify vulnerabilities that may be present on the web application. We also do not crawl the loaded page for additional responses.
Impact
Insufficient Data
A default risk vector grade is assigned if there is insufficient or no data.
– This is set in the center of the grading scale for computing into security ratings.
Behavior: Some findings cannot be traced back to specific companies due to the use of third party systems; such as web filters and Content Delivery Networks (CDN), that are capable of redirecting and encapsulating network traffic. Some firewalls might also be detecting and blocking external scanning tools from getting any data.
Lifetime
Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.
Duration: 60 Days
Weight
The Web Application Security risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.
Weight: 5%
Criteria
Additionally, for certain assessments, we check the response code (and exclude certain 3xx and 4xx responses) and the content type (and include only "text/html").
Evaluation
Web Application Security findings are subjected to different assessments to determine the presence and severity, which is a static attribute of assessments indicating the maximum impact that a specific finding can have. The assessments are defined to target a specific Common Weakness Enumeration (CWE) or a category within the Open Web Application Security Project (OWASP) Top 10.
How is the severity of each assessment determined?
We determine the severity of each assessment by evaluating the CWE that each assessment is targeting. The individual severity of each assessment is based on the possible impacts and exploitability of each weakness.
Each assessment has its own grading mechanism and impacts the risk vector grade differently. See possible finding grades for each assessment, within the following assessments:
Cross-Site Scripting
Validation of security measures such as SRI and CSP to ensure no malicious remote resource is included on a web application.
Categories:
Components with Known Vulnerabilities
Using a library with missing security patches can make your web application exceptionally easy to abuse, making it crucial to ensure that any available security updates are to be applied immediately.
Categories:
Broken Authentication and Access Control
Access control policies ensure that users cannot act outside their intended permissions.
Categories:
Sensitive Data Exposure
Ensuring application design includes controls to reduce the exposure of critical and sensitive information.
Categories:
Security Misconfiguration
Assessment of web application implementations regarding security hardening or unnecessary features and privileges.
Categories:
- December 23, 2025: The default grade for WAS is N/A. Added Criteria section.
- July 10, 2025: The weight is 5% for the 2025 Ratings Algorithm Update.
- March 28, 2025: How severity is determined.
- December 16, 2024: Moved finding grades to the more detailed assessment articles.
Feedback
0 comments
Please sign in to leave a comment.