Managing Security Issues¶
Vulnerabilities are security flaws in an infrastructure that may be exploited by attackers to perform unauthorized malicious actions with your system. In Wallarm Console, you can analyze and manage security flaws that have been detected by Wallarm in your system in the Events → Security Issues section.
Wallarm employs various techniques to discover security weaknesses.
Exploring security issues¶
To explore the security issues found for your external hosts, in Wallarm Console, go to the Security Issues section.
Here, the detailed information on found issues is presented, including:
-
Full filterable list of issues with brief and detailed description of each
-
Top vulnerable hosts list
-
Distribution of security issues by type
-
Risk level evaluation and distribution of security issues by these levels
-
Monthly historical information on detected and resolved issues for the last 6 month
Issue details and lifecycle¶
Wallarm provides detailed information on each detected security issues to allow clear understanding of what is happening and what can be done.
Issue details¶
Click the issue in the list to open its details, such as:
- Basic info (type, host and url, first and last seen time)
- Detailed Description
- Measures for Mitigation
- Information on linked CVEs ranked by risk as Additional information
Issue lifecycle¶
Once a security issue is detected, it obtains the Open status meaning some measures are required to mitigate it. In the issue details, you can close it (means it was resolved) or mark as false.
It is useful to provide comment on each status change, giving others the full view of what is the reason of change. Author and time of change are tracked automatically.
Security issues can be closed by Wallarm automatically after next automatic or manual rescan in the following cases:
-
Port not found during last scan
-
Network service has changed
-
New version of the product detected
-
Vulnerable version no longer present
-
Vulnerability not detected during last scan
Issues can be re-opened automatically after next rescan or manually. Note that issues marked as false are never re-opened automatically.
Changing risk level¶
If you re-evaluate the risk level of the issue, go to its details and select new risk level from the list.
Adding comments¶
While it is always useful to provide comment on status change (closing, re-opening), you can add any comments to the issue at any moment without changing anything else. To do so, use the Add comment button: your comment will become the part of Status history.
Status history¶
For you to be on track, the full history of changes and comments is displayed in the Status history section of the security issue.
Issue risk level¶
Each discovered security issue is automatically assessed by how much risk it poses as described in the table.
Risk | Description | Examples |
---|---|---|
Critical | The vulnerability's presence may lead to a system compromise, allowing an attacker to remotely execute code or cause a denial of service (DoS) or service degradation. Immediate reaction is required. |
|
High | The presence of the vulnerability may lead to partial system compromise, such as database access or limited access to the filesystem. In specific circumstances (e.g., if special requirements are met or if chained with other vulnerabilities), the vulnerability may lead to system compromise (e.g., remote code execution). |
|
Medium | The vulnerability may lead to bypassing security controls, limited exposure or access, but without full compromise. It can allow access to sensitive data or configurations and potentially be leveraged in a more complex attack chain. |
|
Low | The vulnerability has minimal impact and does not directly lead to significant damage or exploitation as requirements/conditions are too complex. However, it can be combined with other vulnerabilities to escalate an attack. |
|
Info | The issue does not pose an immediate security risk but should still be reviewed for potential manual validation. It often involves exposure of non-critical data or violation of best practices. |
|
* If the software version contains multiple CVEs, including critical ones, the overall risk level is assessed as high. The risk level is reduced by one level because the presence of a vulnerable version does not explicitly indicate the existence of the vulnerability. For example, the vulnerability may occur only in a specific, non-default configuration or require certain conditions to be met.
You can re-evaluate and manually adjust the risk level at any moment.
Security issue reports¶
You can get report on all or filtered security issues in CSV or JSON format using the Download report button.
Notifications¶
Email¶
You automatically receive notifications to your personal email (the one you use to log in) about discovered hosts and security issues, including:
-
Daily critical security issues (new only) - all critical security issues opened for the day, sent once a day with a detailed description of each issue and instructions on how to mitigate it.
-
Daily security issues (new only) - statistics for security issues opened for the day, sent once a day with information on how many issues of every risk level were found and general action items for mitigation.
-
Weekly AASM statistics - information about hosts, APIs, and statistics for security issues discovered for your configured domains within last week.
The notifications are enabled by default. You can unsubscribe at any moment and configure any additional emails to get all or some of these notifications in Wallarm Console → Configuration → Integrations → Email and messengers → Personal email (you email) or Email report (extra emails) as described [here][link-integrations-email].
Instant notification¶
You can configure instant notification for the new and re-opened security issues. Select all or only some risk levels that should trigger notification. Separate message will be sent for each security issue.
Example:
[Wallarm System] New security issue detected
Notification type: security_issue
New security issue was detected in your system.
ID: 106279
Title: Vulnerable version of Nginx: 1.14.2
Host: <HOST_WITH_ISSUE>
Path:
Port: 443
URL: <URL_WITH_ISSUE>
Method:
Discovered by: AASM
Parameter:
Type: Vulnerable component
Risk: Medium
More details:
Client: <YOUR_COMPANY_NAME>
Cloud: US
You can configure instant notification for the security issues in Wallarm Console → Configuration → Integrations → YOUR_INTEGRATION as described in your integration documentation.