Web Application Security Status and FAQ – June 24, 2025 Ingrid The Web Application Security risk vector performs multiple assessments related to web application security. It provides information about components with known vulnerabilities, broken authentication and access control, sensitive data exposure, cross-site scripting prevention mechanisms, and security misconfigurations.You can find the answers to some of our most frequently asked Web Application Security questions below. Risk Vector Availability Risk Vector Integration Risk Vector Functionality Relation With Other Risk Vectors Scanning and Update Process Grading Risk Vector Assessment Details Risk Vector AvailabilityWhen was Web Application Security released?Web Application Security has been available in Bitsight applications since September 7th, 2023, as a non-rating impacting risk vector.When did it begin impacting the rating?Web Application Security remained a non-rating-impacting risk vector until the RAU25, which took place on July 10th, 2025.Risk Vector IntegrationIs Web Application Security included in Risk Remediation?Web Application Security has been available in Risk Remediation since the start of the RAU25 preview (April 8, 2025). It will be available in Forecasting and Peer Analytics at a later stage.Risk Vector FunctionalityWhat do failed and passed evidence mean?All assessments provide a list of the evidence that was collected when performing it on a specific web application. We reference both negative indicators and correct implementations of the security controls we are evaluating. The Pass and Failed status for each piece of evidence highlights this.Examples: In the Javascript Libraries with Known Vulnerabilities assessment, we list all javascript libraries that we could identify within a web application. Those marked as Passed are libraries in use but not known to contain any vulnerability, while those marked as Failed are libraries in use with at least one vulnerability. In the Cross-Domain Subresource Integrity Check assessment, those marked as Failed do not define the integrity attribute, while those marked as Passed define it. Not all assessments provide a mix of Failed and Pass evidence. Some may only provide Failed evidence (e.g., Content Security Policy Violations or Cookie SameSite Blocked) since we can only see negative results. Others may only provide Pass evidence (e.g., HSTS Preload Directive Present) since we only consider this control to impact a web application's security positively. However, the meaning is always the same: a Pass evidence represents a good implementation of the security control we are evaluating, while a Failed evidence means an invalid or non-existent security control implementation.Is it possible to export the information in the Evidence tab to CSV?Yes. To export Evidence details, first select the Evidence column in the Customize Columns option in the Findings Table. Then, use the Download CSV feature to download all the data, including the evidence details.Relation With Other Risk VectorsWhat will happen to Web Application Headers?The Web Application Security (WAS) risk vector can be seen as an evolution of the Web Application Headers (WAH) risk vector and will eventually replace it. However, they will be simultaneously available in Bitsight for some time. WAS replaced WAH in the headline rating in the RAU25 on July 10, 2025, with the same weight of 5%. The Web Application Headers risk vector will remain in Bitsight and we will still generate findings for some time. After a while, we’ll stop generating findings and will eventually remove the risk vector from Bitsight.Scanning and Update ProcessHow is scanning performed for Web Application Security?The Web Application Security risk vector uses a headless web browser to gather information about web servers and applications to perform assessments related to the security controls implemented. With this scanner, we render and understand HTML the same way a browser would, and we gather information such as: HTTP headers. Content Security Policies. Web application components and version detection (e.g. JavaScript libraries). Web page contents and their security context (e.g. HTTP resources loaded from an HTTPS context). Internet-accessible administration pages (e.g. admin portals for Wordpress, Drupal, and other Content Management Systems). More information: Understanding and Troubleshooting Web Application Security ScanningCan I request for a finding to be rescanned?Yes. Users can use the standard rescan workflow available in Bitsight. Once a rescan is requested, the entire domain will be rescanned and all associated findings will be updated.Is Bitsight sending any payload while performing the 22 assessments?No. We only make a standard HTTP request (similar to any browser) and run the assessments on the responses we collect.GradingHow was the severity of each assessment determined?We determined the severity of each assessment by evaluating the Common Weakness Enumeration (CWE) that each assessment is targeting. How does severity affect the finding grade?Severity is a static attribute that each assessment has. It was used to determine the maximum impact that a specific finding can have. September 9, 2025: Post-RAU25 updates. June 24, 2025: Relation with other risk vectors, scanning, and grading & assessment questions. March 12, 2024: TLS Errors on Page Resource Fetch assessment deprecated. September 26, 2023: Published. Related to web application security FAQ Related articles How is the Web Application Headers Risk Vector Assessed? TLS/SSL Finding Remediation & Remediation Verification Setting a DMARC Policy What is a Finding Lifetime? Why Do Findings Have a Decay and Lifetime Period? Feedback 0 comments Please sign in to leave a comment.