Software Composition Analysis with AcuSensor in Acunetix 360

AcuSensor can analyze your web application's software composition and list all components.

• More and more web applications rely on third-party components, so your web application's security also depends on the security of these components.
• It takes a lot of time and effort, however, to manually track whether these components have vulnerabilities and any update to address these issues.

As a black-box security tool, Acunetix 360 can detect technologies used in your web application. It tracks and reports on problems, such as whether any of the technologies are out-of-date or whether a specific version has any issues.

• The technology feature relies on the HTTP headers/responses while AcuSensor works inside of your application, so it can identify all of your technology stack.
• It can also detect whether these components are secure by using a vulnerability database.

This topic explains how to run software composition analysis with AcuSensor in Acunetix 360.

Running software composition analysis with AcuSensor in Acunetix 360

Prerequisites

• Deploy AcuSensor.

There are three steps to this:

1. Configure a scan policy for the Software Composition Analysis (SCA)
2. Scan your application with the scan policy created in the 1st step
3. Review the scan result

Step 1. Configuring a scan policy for SCA

How to configure a scan policy for SCA

1. Log in to Acunetix 360.
2. From the main menu, select Policies > New Scan Policy.
3. From the New Scan Policy page, enter a name and a description for your new scan policy.
4. From the Security Checks section, select Software Composition Analysis.

5. Select Save.

Step 2. Scanning your application with the custom scan policy

After you create a custom scan policy that includes the Software Composition Analysis check, you can now launch a scan to detect whether your technology stack has any vulnerability.

How to scan your application with the custom scan policy

1. Log in to Acunetix 360.
2. From the main menu, select Scans > New Scan.

3. In the Target URL field, enter the URL.
4. From the Scan Policy, select your custom policy created in the 1st Step.

5. Select Launch to scan.

How to run group scan with the custom scan policy

1. Log in to Acunetix 360.
2. From the main menu, select Scans > New Group Scan.
3. From the New Website Group Scan page, select Website Group from the drop-down menu.
4. From the Scan Policy drop-down, select your custom scan policy created in the 1st Step.
5. Select Launch to scan.

Step 3. Reviewing scan result

When you launch the scan, Acunetix 360 crawls and attacks your web application to identify vulnerabilities.

Once Acunetix 360 completes the scanning, the application sends an email containing the link to the report. If you did not configure an email notification, you can log in to Acunetix 360 and check your report. Or, you can check the Technology dashboard to view all vulnerable components identified.

How to access your scan report

1. Log in to Acunetix 360.
2. From the main menu, select Scans > Recent Scans.
3. Next to the relevant scan, select Report.
4. On the Scan Summary page, scroll down to the Technical Report section to view your scan report.

From the Technical Report, you can also select the Knowledge Base tab, then Software Composition Analysis (SCA) in order to view all your vulnerable components identified in that security scan. For further information, see Software Composition Analysis (SCA) Node.

In addition to these, you can visit the Technology Dashboard to see vulnerable components identified in all scans.

How to view vulnerable components on the Technology Dashboard

1. Log in to Acunetix 360.
2. From the main menu, select Technologies > Dashboard.

For further information, see Technologies.