Based on feedback received from multiple customers, we have come up with a new format for the reports. Currently we show each instance of the vulnerability in our report and dashboard without grouping. This becomes cumbersome for customers as they are not able to track what the vulnerabilities are at each URI level, places and how many variances are there clearly. It is to address this that we have come up with a new reporting feature.
Salient Features:
Grouping is done considering how customers use the reporting feature, especially concentrating on remediation.
Vulnerabilities that we deem to be fixed at config level are grouped together. So all instances of such kind of vulnerability will be clubbed together with the idea that customers would need to fix it at only one place and all the instances of such vulnerabilities will be fixed. For example: ASP.NET Debug Feature Enabled; though many instances of this vulnerability will be reported, the fix is at one place.
If the vulnerabilities are not at config level then we look at which part of the request/response is the vulnerability found. Vulnerabilities found in similar areas across the entire website is again grouped together, since the fix again will be at only one place.
For example: If a particular vulnerability is found in a particular cookie then they are grouped together, so no matter how many instance, the fix will be at the cookie level and once fixed it will solve the issue across the entire website.
If vulnerabilities do not have any common characteristic as defined above then the vulnerability will be grouped based on where the vulnerability is found.
To make life easier for customers we have now created an HTML version of the report, which can be accessed from the client portal.
Summarization has also changed. Reference Figure. This gives customers an idea on the type of vulnerabilities found, where the vulnerabilities were found and how many fixes are required along with the number of instances needed. The no of Instances will tally with the current count in the reports.Figure
To make the transition easier, for 1 month customers will have the ability to switch between old and new reports. By default, the new reports will be shown and any user can revert to the old report by changing the settings. There are no changes in portal for now. Once we have enough feedback we will do similar grouping in the portal too.
