We recommend using this guide to verify that your Diligence finding configurations are updated, are public-facing, and have been remediated prior to requesting a finding refresh.
Review Finding Details
When viewing findings in the Findings Table:
- Check the Refresh Status: If the refresh status is Refreshed - Finding Updated, we were able to get sufficient data from the asset to update the finding with new information. If the refresh status is Refreshed - Asset Not Reached, we were NOT able to get sufficient data from the asset and could not update the finding with new information. See Asset Not Reached troubleshooting.
- Look at the Finding Grade: The issue is generally considered fixed if the grade is now GOOD and the finding impacts the risk vector grade.
-
Look at the Details Column: If there are details listed, select the finding row to open a panel containing details, remediation instructions, and impacted assets. Check the Details column even when the finding grade is GOOD. Additional risk vector-specific fields in the finding details can provide more clarity into remaining issues.
Example:
- The Details column can clarify whether or not the issue you’re trying to fix is still present. If you’ve attempted to remediate the finding and the grade is unchanged or the Last Seen date is updated, then the problem still exists.
- The Details column can indicate changes and further developments related to a finding. In some cases, a new finding is created with the same grade as before. This usually occurs because of changes in the reported issue(s), as seen in the Details column.
Commands
You may also run live calls against the assets in question through your Terminal or command line.
Commands requiring specific asset data from your finding to be inserted (variables) are indicated by the underlined text.
Disclaimer:
- We do not own these commands and cannot assist with the installation, configuration, or maintenance of a test environment or related resources. Please work with your internal technical teams to establish the ability to use these resources.
- We do not own, maintain, or have any affiliation with the tools suggested in this guide. They are a supplemental way to view configurations. There is no guarantee that any impact will be made to your rating.
- We may reference, but not rely on third-party tools as a definitive means of assessment. Many popular tools evaluate based on a different set of values. What passes for one tool may not also be sufficient within Bitsight.
- Our grading criteria stems from subject matter experts determined by external governing bodies. You can always reference each risk vector’s assessment criteria to confirm what makes up the grading process.
Verify for:
- Web Application Headers
- SPF Domains
- DKIM Records
- Open Ports
- TLS/SSL Certificates & TLS/SSL Configurations
- September 27, 2022: Published.
Feedback
0 comments
Please sign in to leave a comment.