Integrations, Reporting, and Governance
Introduction to Integrations
Integrating Acunetix 360 into Your Existing SDLC
We developed the TeamCity, Jenkins and Bamboo plugins to help you complete the Acunetix 360-assisted SDLC. Using our plugins, users with Administration permissions can now automate test scans, which are run using the Acunetix 360 API in the continuous integration build. We have substantial documentation to assist you with integrating Acunetix 360.
For further information on installing and configuring the plugins, see:
- Acunetix 360 TeamCity Plugin and Installation
- Acunetix 360 Jenkins Plugin and Installation
- Acunetix 360 Bamboo Plugin and Installation
What is the SDLC?
The software industry has refined the Software Development Life Cycle process over many years. It is the process that software developers use to design, develop and test resilient, quality software that meets the requirements of potential customers or specific commissioning clients. It must also meet stated budgets and deadlines.
Normally, software development passes through these key stages, beginning with Planning.
- The Planning stage begins with gathering requirements from potential purchasers, industry experts and existing research, and the organization's own sales team. Collated information helps determine whether a project is financially and technically viable.
- The Defining stage involves getting clarity on the product requirements and documenting them, often by way of a Software Requirement Specification (SRS), which is then approved by the customer or by the Business Analysts in the organization.
- The Designing stage is based on the SRS, which product architects use to construct a Design Document Specification (DDS) that may include various potential design approaches, including architecture, data flow and third party integrations.
- The Building stage is when development begins. Developers follow the DDS and generate code according to their organization's coding guidelines document.
- The Testing stage can happen during all other previous stages and includes reporting of defects, which are fixed until the product reaches the required standard.
- The Deployment stage is when the product is released into the relevant market, or directly to the customer. Sometimes, this can be divided into further stages, released in a limited way first and tested, then released again following further fixes.
For further information, see Configuring User Mappings and Disabling the Assigning of Issues in Acunetix 360 to the Code Committer.
What Systems Does Acunetix 360 Integrate With?
Even though a web application security scanner is a standalone tool, it needs to integrate with other software and tools that are used by security professionals and developers. This is a list of all the software and systems that can be integrated with Acunetix 360.
With Acunetix 360, you can use API Endpoints to view Issues information in list format. This enables you to integrate the Issues information detected by Acunetix 360 with other applications or internal systems.
Issue Tracking Systems
In Acunetix 360, you can configure and export vulnerabilities as bug reports in the following Issue Tracking systems.
System | Acunetix 360 |
Azure Boards | |
BitBucket | |
Bugzilla | |
Clubhouse | |
Defect Dojo | |
FogBugz | |
Freshservice | |
GitHub | |
GitLab Issues | |
Jira | |
Kafka | |
Kenna | |
PagerDuty | |
Redmine | |
ServiceNow Incident Management | |
Splunk | |
TFS (Team Foundation Server) | |
Unfuddle | |
YouTrack |
Project Management
In Acunetix 360, you can configure integrations with the following Project Management systems.
System | Acunetix 360 |
Asana | |
Trello |
Continuous Integration Systems
You can configure integrations with the following Continuous Integration systems.
System | Acunetix 360 |
Azure Pipelines | |
Bamboo | |
CircleCI | |
GitLab CI/CD | |
UrbanCode Deploy | |
GitHub Actions | |
Jenkins | |
TeamCity | |
TravisCI |
Single Sign-On (SSO) Providers
You can integrate Acunetix 360 with the following Single Sign-On providers.
System | Acunetix 360 |
Azure Active Directory | |
ADFS (Microsoft Active Directory Federation Services) | Configuring Microsoft Active Directory Federation Services Integration with SAML |
Okta | |
PingFederate | Configuring PingFederate Single Sign-On Integration with SAML |
PingIdentity | Configuring PingIdentity Single Sign-On Integration with SAML |
SAML (Security Assertion Markup Language) |
Communication
You can integrate Acunetix 360 with the following Team Messaging Systems.
System | Acunetix 360 |
Mattermost | |
Microsoft Teams | |
Slack |
Privileged Access Management
You can integrate Acunetix 360 with the following Privileged Access Management.
System | Acunetix 360 |
HashiCorp Vault | |
CyberArk Vault | |
Azure Key Vault |
API
You can integrate Acunetix 360 with the following APIs.
System | Acunetix 360 |
Webhook | |
Zapier |
Vulnerability Management
You can integrate Acunetix 360 with the following vulnerability management system.
System | Acunetix 360 |
ServiceNow Vulnerability Response | Integrating Acunetix 360 with ServiceNow Vulnerability Response |
Web Application Firewalls
The scan results of Acunetix 360 can be exported as rules for various web application firewalls.
For further information, see Web Application Firewalls.
Other Integrations and Interoperability Capabilities
Acunetix 360 has a fully-blown REST API which allows for easy integration.
For further information, see Acunetix Integrations.
If you require any assistance integrating one of the Acunetix 360 web vulnerability scanners in your system, please get in touch.
Integrating Acunetix 360 into Your Vulnerability Management System
Acunetix 360 has integrations with various security solutions (e.g. Lunarline) which enables you to export web security scan results generated by Acunetix 360 to other systems.
What is Vulnerability Management Software?
Vulnerability management software allows you to import scan results generated from different automated security scanners into one centralized location, allowing better management of their entire security process.
- The use of multiple automated tools to scan different components (applications, networks, servers) in an organization's IT infrastructure can lead to lots of separate reports. By importing all the scan results to vulnerability management software, security professionals can centralize their reports and gain a better overview of the security state, easing the job of remediating security flaws.
- Some security professionals use different scanners against the same target, resulting in overlapping reports. Importing scan results to one vulnerability management system enables the elimination of duplicate issue reports.
Acunetix 360 Integration with Vulnerability Management Solutions
We understand that you are not only responsible for the security of your web applications. Our partnership with a number of vulnerability management software vendors provides you with a good choice of which solution to integrate with Acunetix 360.
This is a list of solutions that can be used to import Acunetix 360 scan results.
- Threadfix Vulnerability Manager
- Kenna Security Vulnerability & Risk Intelligence (previously Risk I/O Vulnerability Dashboard)
- LunarLine Vulnerability Scan Converter
Information |
If you use a vulnerability management solution that is not listed above, contact your vendor so they can get in touch with us and we can partner with them. |
Centralizing Web Security Scan Results
If you are responsible for the security of many websites and web applications and would like to centralize all the web application security scan results you can also use Acunetix 360, our online web application security scanner that is specifically tailored to help organizations manage the security of their websites and web applications.
Reports
Introduction to Reports
After a scan is complete, you can generate a report on Acunetix 360 to provide you with information on the scan results in summary or detailed form, as well as vulnerability details. There are many types of reports, such as built-in reports, report templates, lists and custom reports. Acunetix 360 also enables you to generate statistical reports, troubleshoot inconsistent scan results and create a custom report policy.
For further information, see Built-In Reports, Reports Templates and Lists.
Why Do We Need Reports?
Web security scanning is of no value unless scan reports are generated. Acunetix 360 sends the right reports to the right audience. Reports provide evidence that a web application security scan has taken place and is completed. Reports are able to give different types and levels of users all the information they need about the related scan:
- Support departments need reports to enable them to focus on discovered vulnerabilities and anticipate client needs
- Directors need reports to enable them to provide evidence of compliance for councils and other legislative bodies
- Managers need management reports to enable them to understand the potential business implications, so that they can prioritize the fixing of issues
- Developers need technical reports to enable them to start fixing each issue and vulnerability
For further information, see Executive Summary Report, Technical Report, and Trend Matrix Report.
Reports Help You Meet Compliance Regulations
Whether your organization needs to meet ISO 27001, PCI DSS, HIPAA or the standards of other compliance and regulation bodies, reports help you to identify the areas in which your web application falls short.
But it is also important for organizations to develop their own data security standards and information security policies. For some regulations – such as PCI DSS – it is essential to do quarterly scans. By creating reports, you can observe and record the changes in security improvements that your organization makes in each quarter. That way, you can continue working toward meeting the requirements.
For further information, see HIPAA Compliance Report, ISO 27001 Compliance Report, OWASP Top Ten 2013 Report, OWASP Top Ten 2017 Report and PCI DSS Compliance Report.
Reports Help You Fix Issues
Once the scan has finished, Acunetix 360 will send you an email with a summary of the results. This provides you with a basic overview of the issues and vulnerabilities that Acunetix 360 has discovered. If you want detailed information for each issue, you need to generate the relevant report.
Reports are important for learning about the actions that need to be taken for each issue. In this way, you can begin to solve each issue in order to make your web applications more secure. Reports can also help you keep track of your developers’ productivity and capabilities, ensuring that no vulnerability reaches your Live environments.
Acunetix 360 has a huge vulnerability database that gives information on the Impact, Actions to Take, Remedy, References, Classification, CVSS Score and Proof of Concept or Proof of Exploit for each issue.
For further information, see Detailed Scan Report and Knowledge Base Report.
Chart Reports
In addition to Built-In Reports and Report Templates, in Acunetix 360 you can also generate a variety of statistical reports for a particular website group or vulnerability during a specific date range.
Report | Description |
Issues per Period | This report displays the number of issues (e.g. SQL Injection) detected on this account, within the configured time period. |
Vulnerable Website Groups per Period | This report displays the number of issues detected on this account, grouped by Website Group, within the configured time period. |
Vulnerable Websites per Period | This report displays the number of issues detected on this account, grouped by Website, within the configured time period. |
Issue Trend per Period | This report displays the number of issues detected on this account, grouped by week, within the configured time period. |
Scans per Website Group | This report displays the number of scans run on this account, grouped by Website Group, within the configured time period. |
PCI Compliance | This report displays the vulnerabilities categorized as listed in the PCI Compliance guidelines. It is exportable as an HTML file. For further information, see PCI Scanning in Acunetix 360 and PCI DSS Compliance Report. |
Overview of Report Policies in Acunetix 360
A report policy is a list of reporting settings for web security scan results and reports.
When you run a scan, you attach a report policy to it. While the scan policy affects which checks Acunetix 360 will run, the report policy affects your result report. For example, if you changed the severity level of the SQL Injection to the Best Practice severity level, you may miss a critical security issue in your web application.
With a report policy, you can do the following:
- Specify which detected vulnerabilities Acunetix 360 should report in the Scan Results.
- Change the Severity level, the visibility, and the classification properties of a vulnerability.
A Custom Report Policy enables you to configure these settings, including how the web security scanner displays its findings in the Acunetix 360 application and in reports. (If you want to enable or disable specific security checks in the actual scan itself, you should configure a Scan Policy instead.)
While you can create your own report policy in line with your requirements, you can also rely on Acunetix 360's built-in Report Policy - the Default Report Policy. It is read-only and is used to provide the default settings for your custom Report Policies. You can clone existing Report Policies or create new ones, and then the new custom report policy is modified to suit your requirements.
For creating your own report policy, see Custom Report Policies.
Knowledge Base Nodes
During scans, Acunetix 360 collects information about the web application and displays it in various nodes in the Knowledge Base. This information helps you understand your web application better and learn how attackers are likely to proceed. Knowledge Base node information also helps security practitioners fine tune scans for better coverage.
For further information, see Knowledge Base Tab, and Knowledge Base Report.
This table lists and explains the Knowledge Base nodes found in Acunetix 360.
Node | Description |
AJAX / XML HTTP Requests | This is a list of the AJAX / XMl HTTP Requests found in the target application. From this node, you can check that Acunetix 360 is detecting and simulating all of these requests, especially when scanning a client-side script heavy web application such as a single page application. This is sometimes referred to as the XML HTTP Requests List. For further information, see AJAX / XML HTTP Request Node. |
Comments | This is a list of source code comments. Some of them may contain sensitive keywords highlighted in red and bold. This is the most overlooked security issue of all and could lead to sensitive information disclosure. It is very typical for developers to leave very sensitive information in web applications, such as connection strings, administrative accounts credentials, details of the test environments and much more. Acunetix 360 allows users to add new entries to the list of sensitive comments so they are alerted once this type of entry is identified in the source code comments. Users can also modify the existing patterns from the Comments node in the Acunetix 360 settings. For further information, see Comments Node. |
Cookies | This is a list of cookies set by the target application. Cookies can disclose a lot of information about the target website that attackers can use to craft a malicious attack. From this node, security professionals have access to a centralized list of all cookies, so they can analyse them one by one and identify any cookie-related security issues. For further information, see Cookies Node. |
Crawling Performance | This is a table with information on crawling performance, such as Parsing Source, Crawled Link Count, Total Response Time, and Average Response Time. For further information, see Crawling Performance Node. |
CSS Files | This is a list of CSS Files found in the target application. Modern web applications have dynamic CSS files (ones that accept input from other sources and variables) so they can also be an attack vector. Even though Acunetix 360 automatically scans target web applications for potential vulnerabilities in CSS files, this list is useful for users who need to manually analyze them. This is sometimes referred to as the Client CSS File List. For further information, see CSS Files Node. |
Email Addresses | This is a list of email addresses found in the target application. Although having clear text email addresses on a website is not a vulnerability in itself, it is good to know what email addresses are published on the website. For further information, see Email Addresses Node. |
Embedded Objects | This is a list of all the embedded objects such as Flash files or ActiveX components that were discovered in the target web application, and their location. For further information, see Embedded Objects Node. |
External CSS Files | This is a list of all the external CSS files the target website uses. This is for information purposes only. For further information, see External CSS Files Node. |
External Frames | This is a list of frames found in the target application that originate from an external source. Similar to external scripts, external frames may be the result of an already hacked website. This is why it is good for security professionals to know about all the external objects in a web application. For further information, see External Frames Node. |
External Scripts | This is a list of external scripts found in the target application. An external script from a non-trusted source should be considered a security risk, since it might be tampered by someone else to execute malicious JavaScript on the target web application. Such tampering might result in a stored or permanent Cross-site Scripting vulnerability. Information in this knowledge base node can also help users determine whether the target web application has already been hacked; for example, whether malware is being distributed via an injected script. All (un)trusted third party scripts used in your web application are also listed in this knowledge base node. For further information, see External Scripts Node. |
File Extensions | This is a list of file extensions found in the target application. Under each extension, it will also list all the files with that extension. This information helps security professionals determine what is being served from the target web application. For further information, see File Extensions Node. |
Form Validation Errors | This is a list of Form Validation Errors found in the target application. This is an Information level issue that informs you about web forms that were unable to be submitted due to validation errors. For further information, see Form Validation Errors Node. |
Google Web Toolkit | This is a list of any GWT-RPC requests that are identified during a scan. When such requests are identified it means that a web application built with Google Web Toolkit is running on the target server. They are sometimes referred to as GWT Requests. For further information, see Google Web Toolkit Node. |
Incremental Scan | This is a list of all the new links found during incremental scans, allowing you to identify newly-added pages. For further information, see Incremental Scan Node and How to Run an Incremental Scan in Acunetix 360. |
JavaScript Files | This is a list of JavaScript files found in the target application. Security professionals can refer to this centralized list of information to check that all JavaScripts on the target website are secure and are being used appropriately. This avoids the risk of neglecting to find some during a manual check. This is sometimes referred to as the Client Script List. For further information, see JavaScript Files Node. |
MIME Types | This is a list of MIME Types found in the target application. Under each MIME type, Acunetix 360 also lists all the files with that MIME type. This information is very useful in case further manual testing is required. It also helps security professionals spot any unusual files or types served by the server which could indicate a successful hack. For further information, see MIME Types Node. |
Not Founds | This is a list of all the web pages that return a 404 error. This is used to inform users that these pages are not reachable and therefore cannot be scanned. For further information, see Not Founds Node. |
Out of Scope Links | This is a list of all Out of Scope Links, both uncrawled and unattacked. From this knowledge base node, users can determine what was not scanned and why, to enable them to fine tune their security scan settings should they wish to also scan these links. For further information, see Out of Scope Links Node. |
Proofs | This is a list of all the data that is extracted as a Proof when exploiting a vulnerability: Identified Database Version, Identified Database Name and Identified Database User. This data could contain the username and database name for a SQL Injection, or the content of a file for a local file injection for example. From this node, you can discover how much potentially sensitive information the scanner was able to extract automatically for demonstration purposes. For further information, see Proofs Node. |
REST APIs | This is a list of a REST API or RESTful web services that are identified in a scan. Acunetix 360 automatically crawls and scans the RESTful Web service. For further information, see REST APIs Node and Scanning a RESTful API Web Service. |
Scan Performance | This is a table with information on scan performance, such as source, request count, total response time, and average response time. For further information, see Scan Performance Node. |
Site Profile | This is a table with site profile information about the technologies used in the target website, such as JavaScript Libraries, Database Server and Operating System. For further information, see Site Profile Node. |
Slowest Pages | This is a table listing the top ten slowest pages by URL and Response Time. In this knowledge base node, the average response time of the target web application is displayed together with all the pages with the highest response time. Pages that are slow to load do not pose any security threat, except perhaps for a Denial of Service (DoS), but there is a reason why they are taking longer to load. It could be caused by errors or inefficiencies in the code, so it is still worth knowing about them for troubleshooting purposes. This is sometimes referred to as the Top Response Times List. For further information, see Slowest Pages Node. |
Software Composition Analysis (SCA) Node | This node displays an information table on third-party components detected by Acusensor in your web application. During the scan, Acunetix 360 identifies these components in your web application and lists them in the Knowledge Base panel. So, security and technical personnel can refer to the list to make sure that all third-party components are up to date and have no known vulnerabilities. For further information, see Software Composition Analysis (SCA) Node. |
SSL | This is a list of the information about the SSL certificate used in the target website, and the protocols and ciphers that are supported by the target server. Recently, there have been a number of issues with old ciphers and protocols, so it is good to know what the target web application supports, so you can fine tune the server's configuration. This is sometimes referred to as the SSL Knowledge Base Provider. For further information, see SSL Node. |
URL Rewrite | This node contains tables with information on the URL Rewrite settings and the URL Rewrite rules matched in the target application. Acunetix 360 scanners automatically configure their own URL rewrite rules when scanning a website that uses URL rewrites, so you do not have to manually configure them. If you need to verify the rules, or get a better understanding of the workings and setup of the target web application, check the rules that the scanner automatically configured. For further information, see URL Rewrite Node and URL Rewrite Rules. |
Web Pages With Inputs | This is a list of form inputs found in the target application. This list can be used by developers and QA (quality assurance) members for further manual testing. Security professionals find such information useful too, since it gives them a better overview of the attack surfaces of a web application. It is sometimes referred to as the Form Inputs List. For further information, see Web Pages With Inputs Node. |
Web Services (SOAP) | This is a list of SOAP WEB Services found in the target application, with details on the operation and parameter of each. For further information, see Web Services (SOAP) Node. |
Governance
Introduction to Team Management
Overview of Team Management in Acunetix 360
With Acunetix 360, you can manage your team better thanks to granular permissions and role-based access control. You can create as many teams as you need in Acunetix 360 and assign fine-grained roles to teams and team members to match the way you work.
Acunetix 360's team management capabilities provide flexibility for access management:
- You can group team members in any way you want and assign roles built from granular permissions.
- Members of a team inherit its permissions, in addition to any direct permissions assigned per member.
- Each member can belong to multiple teams.
- You can create custom roles from over 80 detailed permissions and assign them to members and teams.
- You can edit and delete roles and teams at any time.
More effective management and improved coordination
Effective management in the face of ever-increasing workloads requires good coordination and orchestration. The team management in Acunetix 360 lets you create as many teams and roles as you need. So, each team knows its exact scope of responsibilities and can perform better.
- You can, for instance, define a dedicated team responsible for running and scheduling vulnerability scans and a separate team tasked with fixing vulnerabilities. When defining team or member roles, you can select any combination of over 80 permissions.
- You can also edit teams and roles at any time in response to new projects, policies, and business priorities. The scheme ensures full transparency, so you always know exactly which teams and members have which permissions.
Making security everyone’s business
The teams and permissions system in Acunetix 360 makes it easy to involve a variety of stakeholders in the vulnerability management process. You can set up custom teams and granular roles that precisely match the responsibilities and permissions you need.
- You can, for example, define separate roles for security engineers, scan administrators, developers, team managers, and executives to enable self-service reporting and progress monitoring.
Seamless provisioning and handovers
Acunetix 360 makes it easy to define and manage teams and team permissions so a new employee can automatically get the right permissions without manual intervention by an administrator.
- Because a new member now inherits team permissions, simply adding the member already assigns the right starting roles. You can then add any individual permissions as necessary.
- With the new set of granular permissions, members can clearly see exactly what tasks they are allowed to perform. It is also much easier to follow the principle of minimum necessary privileges for improved security.
Managing Members in Acunetix 360
Acunetix 360 allows you to add and manage members with a range of secure permissions that enable access control. You also have the ability to assign them to Direct Roles, Website Groups, and Teams.
- Acunetix 360 helps you to safeguard your web application against malicious attacks by providing you with secure options when adding members to your team.
- You can add developers, analysts, executives, and others as members to ensure that everyone who is involved in securing the web application can coordinate and perform their roles safely.
- While adding new members, you can grant them different permissions. You can assign them to the existing Direct Roles, Website Groups, and Teams.
- Alternatively, you can create a unique role so that a single member with only one, unique task to perform has the correct access. For example, you can give a member permission only to start a scan. Or, you can add executives with permissions only to view reports or progress (to save them from having to request the information from others).
Managing Roles in Acunetix 360
Acunetix 360 allows you to create roles with preferred and secure permissions. You also have the ability to edit the roles already created.
- Acunetix 360 helps you to safeguard your web application against malicious attacks by providing you with secure options when creating various roles for a team and members.
- You can add developers, analysts, and other people as members, assigning them different permissions so that they can coordinate and perform their roles safely.
- You can assign members to existing roles, website groups, and teams. Or, you can create a unique role so that a member with a specific task to perform in your team has the correct access.
- For example, you can decide on a user that can start a web application security scan but cannot view the scan's reports. Or, that user can view IP restrictions but cannot add or edit this restriction.
Managing Teams in Acunetix 360
Acunetix 360 allows you to create teams with different roles to better safeguard your web application and manage member permissions effectively.
- Acunetix 360 helps you to safeguard your web application against malicious attacks by providing you with secure options for creating teams with different roles and members.
- You can add developers, analysts, and other people as members that inherit the team's current permission directly without the need for extra configurations.
- Also, you can create as many teams as you wish because Acunetix 360 does not limit the number of teams you can create. Each team can have different permissions. For example, one team can deal with scans and see reports, while another team can fix bugs. Such division helps you manage your team effectively.
User Permissions
Viewing Your Roles and Teams
You can add members with different roles and teams to your account if you are an account owner or have administrator privileges.
While admins can manage, edit, and view the teams and roles on the members' page in Acunetix 360, members may not have access to this page.
So, users with fewer privileges can view their roles in the User Setting page.
Configuring Roles in Acunetix 360
Acunetix 360 is an online multi-user web application security solution.
You can have an Acunetix 360 user for every team member. You can create as many new users as you need – there is no limit. Adding all your developers, quality analysts, and other team members to Acunetix 360 helps you ensure that everyone who is involved in the development and upkeep of your web applications can act in a correlated manner. They can then do what is required to protect the long-term security of your web applications, which includes addressing all vulnerabilities quickly.
Activity Logs
Acunetix 360 lets you view your log or other users' logs on the Activity Logs page. On this page, you can view which user carried out which action on a given date. It also details the endpoint type, such as Acunetix 360 UI and API.
Team members with the necessary permission can view all members' activities.
Activity Logs Fields
This table lists and explains the panels on the Activity Logs page.
Field | Description |
User | This is the name of the user. |
Action | This is the action that the user(s) performed. |
Endpoint Type | This is the endpoint where the user(s) has accessed Acunetix 360. This can be Web UI, API, and Background Task. Web UI: This shows that the user performed the action via Acunetix 360 UI. API: This shows that the user performed the action via API endpoints. Background Task: This shows that Acunetix 360 performed maintenance work or scheduled tasks. |
Date | This is the date on which the action is performed. |
Notifications
Introduction to Notifications in Acunetix 360
With the Acunetix 360 web application security scanner, you can configure SMS and Email notifications so that you and your users are instantly informed about the status of a web application security scan or when specific vulnerabilities are detected by it.
Not all web applications and vulnerabilities have the same criticality. The urgency of fixing a cross-site scripting (XSS) vulnerability on a staging website is different compared to that of a cross-site scripting vulnerability on a live website.
- The live website needs immediate attention because it is available to the public. Attackers can easily find vulnerabilities on such websites and exploit them.
- On the other hand, you might expect to find vulnerabilities on a staging website. After all, that is the purpose of having and scanning a staging website for vulnerabilities – to identify any possible vulnerabilities before the code is migrated to a live environment.
The Email and SMS Notifications feature in Acunetix 360 allows you to receive notifications about important events. For example, you can select to be notified via SMS when one or more critical vulnerabilities are identified on a live website.
For further information, see Configuring the User Profile for Notifications and Managing Notifications.
Configuring the User Profile for Notifications
Providing an email address is mandatory for every Acunetix 360 user. So, by default, Acunetix 360 has the email address of every user. Your phone number, however, needs to be added manually. Once added, it will be used by the system to send the SMS notifications.
Only users with Administrator permission have access to this window.
For further information, see Managing Notifications.
How to Configure a User Profile for Notifications
- Log in to Acunetix 360.
- Select [Your Name] (top right of window), then User Settings.
- The Change User Settings window is displayed.
- In the Phone Number field, enter the phone number.
- From the dropdown, select a flag for your location
- Enter your phone number
- Click Update.
- Click Confirm in the Phone Number field. The Phone Number Confirmation panel is displayed.
- Click Send Confirmation Code. A six-digit confirmation code is sent to your phone.
- Retrieve the code from your phone, enter it into the Confirmation Code field and click Confirm.
- How to Disable Issue Notifications for a User
- From the Settings menu, click General. The General Settings window is displayed.
- Check the Disable issue notifications that are sent by the system option.
- Click Save.
Managing Notifications
In Acunetix 360, you can view all the configured Notifications from the Manage Notifications window. You can Create, Clone, Edit and Delete existing Notifications.
You can also configure a notification to inform email and SMS recipients, including recipients external to Acunetix 360, following a Scan Completed event. So, you and your team members can be notified about the status of a web application security scan or when specific vulnerabilities are identified on the web applications you are scanning.
Not all web applications and vulnerabilities have the same criticality. The urgency of fixing a cross-site scripting (XSS) vulnerability on a staging website is different from that of a cross-site scripting vulnerability on a live website.
- The live website needs immediate attention because it is available to the public and attackers can easily find vulnerabilities and exploit them.
- On the other hand, finding vulnerabilities on a staging website is expected. After all, that is the purpose of scanning a staging website for vulnerabilities; to identify them before the code is migrated to a live environment.
New Notification Fields
This table lists and explains the columns in the New Notifications window.
Column | Description |
Name | This is the name of the Notification. The default Notification names are descriptive, corresponding to the Event reported. When you create your own notification, you can enter whatever name you wish. |
Status | This indicates whether the Notification is Enabled or Disabled. |
Event | This states the event that the Notification reports. There options are:
|
Group | This is an option that enables users to get one summary notification instead of separate notifications within a specified period. When the option is enabled, a slider is displayed, which ranges from 10 to 240 minutes. The options are:
|
Scope | This indicates that the notification will be sent if the scan is related to the website or website group. The options are:
|
Email Recipients | This is a list of the names and email addresses of the recipients that will receive an email notification. |
SMS Recipients | This is a list of the names and phone numbers of the recipients that will receive an SMS notification. |
Add Attachment Report | This is a field that is displayed when the Scan Completed option is selected in Event. It enables you to specify various reports by adding information on report types and format. Reports will be sent as email attachments. Select New Report to select report type and Clear to delete it. |
Excluded Recipients | This is a list of the names of recipients that will not receive notifications related to this rule. |
Integration Endpoints | Enter the Integration Endpoint name if required. This is a list of configured integration, and is currently only available if you select the New Scan option in the Event dropdown, and only for Slack integrations. |
Add Filter | This is a field that is displayed when the Scan Completed option is selected in Event. It enables you to specify the filtering options for vulnerabilities by adding filters. Vulnerabilities matched by the filter will be sent in the notification. Select New Filter to select filter specifications and Clear to delete it. Filter fields are Field, Operator, and Value. |
Filters
Email and SMS notifications are sent for selected events, and you can apply filters to Email and SMS notifications.
For example, you may want to receive an email notification only if Acunetix 360 identified a vulnerability whose severity level is High or above. If set, Acunetix 360 will send notification(s) only if it detects such vulnerabilities. Otherwise, it will not send any notifications. If you do not set any filters, you can receive all notifications about vulnerabilities.
Similarly, integrations are sent according to the filters you specify. If you do not specify any filters, all detected issues are sent to the integrations you selected. You can create more effective and dynamic filters with this option.
This table lists and explains the fields in the Field column of Add Filter.
Column | Description |
Severity | Specify a Severity level. Clarify this level with the help of logical operators. |
Is Confirmed | Use the Is Confirmed filter if you want to be notified of verified issues. |
Certainty | Provide a Certainty percentage (between 0-100) according to the accuracy of the issue. Clarify the precision with the help of logical operators. |
State | Specify a State level. Use this filter if you want to receive a notification about the status of issue(s). This option only appears in the Integration Endpoint filtering. The state levels are explained as follows:
|
How to Create a Notification
- Log in to Acunetix 360.
- From the main menu, select Notifications > New Notification.
- In the Name field, enter the name of the new notification.
- In the Status field, select enable or disable.
- From the Event dropdown, select the relevant option.
- In the Group field, select enable or disable.
- From the Scope field, select the relevant option.
- In the Email Recipients field, select and enter a recipient. In the SMS Recipients field, select or enter a recipient. If you have selected Scan Completed from the Event drop-down (above), you can add a recipient that is not registered and confirmed.
If you selected Scan Completed from the Event drop-down, the Add Filter and Add Attachment Report options are activated. Set your filters, if required.
- In the Excluded Recipients field, select and enter a recipient.
- In the Integration Endpoints field, select an integration, if required. You can add a filter when Scan Completed from the Event drop-down is selected.
- Select Save.
How to Clone a Notification
- Log in to Acunetix 360.
- From the main menu, select Notifications > Manage Notifications.
- Next to the notification you want to clone, select Clone.
- On the New Notification window, in the Name field, enter a name.
- Edit the remaining fields, if relevant. (See How to Create a Notification)
- Select Save.
How to Edit a Notification
- Log in to Acunetix 360.
- From the main menu, select Notifications > Manage Notifications.
- Next to the notifications you want to edit, select Edit.
- On the Update Notification window, in the Name field, edit the name.
- Edit the remaining fields, if relevant. (See How to Create a Notification)
- Select Save.
How to Delete a Notification
- Log in to Acunetix 360.
- From the main menu, select Notifications > Manage Notifications.
- Next to the notification you want to delete, select Delete.
- From the Delete Notification dialog, select Delete.
How to Configure a Notification to Email a Report After a Scan
- Log in to Acunetix 360.
- From the main menu, select Notifications > Manage Notification.
- For any notification with an Event of Scan Completed, select Edit.
- On the Update Notification window, if required, in the Email Recipients field, enter additional registered recipients or a valid email address of an external recipient.
- In the Add Attachment Report field, select New Report. New Report and Format dropdowns are displayed.
- From the Report and Format drop-downs, select an attachment(s) report to add to the email notification (a maximum of three report types is allowed).
- Select Save.
The specified reports following configured scans that are completed will now be sent as email attachments in the email notification sent to the specified recipients.