The detection of vulnerabilities is the first step to securing your web applications. The vulnerabilities detected need to be managed and eventually fixed. Acunetix provides the means to help you prioritise and manage vulnerabilities.
Screenshot - Vulnerabilities List
The Vulnerabilities page provides a list of all the vulnerabilities detected by Acunetix. By default, the vulnerabilities are sorted by Business Criticality of the target the vulnerability was detected on, and the severity assigned to the vulnerability by Acunetix. This will help you focus on the most important vulnerabilities, without losing sight of the less important ones.
Grouping and Filtering Vulnerabilities
Screenshot - Grouping by Business Criticality
As the amount of vulnerabilities detected increases, the list of vulnerabilities can become cumbersome to manage. For this reason, the vulnerabilities can be grouped or filtered.
Vulnerabilities can be grouped either by Business Criticality or by Vulnerability Type. Grouping by Business Criticality gives priority the vulnerabilities occurring on web applications which are of higher importance to the organisation. Grouping by Vulnerability Type prioritises the vulnerabilities using the severity assigned by Acunetix.
Vulnerabilities can be filtered by Target, Severity, Target’s Business Criticality, Status, CVSS, and Target Group. The list allows for multiple flexible filters, e.g. show all the high severity Vulnerabilities, identified on a specific Target, which are still open.
Screenshot - Filtered vulnerabilities
Import vulnerabilities into your Web Application Firewall (WAF)
Ideally, vulnerabilities are fixed as soon as possible. Unfortunately, it often takes months to fix a vulnerability. If you make use of a Web Application Firewall (WAF) supported by Acunetix, you can export vulnerabilities from Acunetix and import them into your WAF. Your WAF will be able to provide virtual patching for the vulnerability.
Acunetix supports exporting vulnerabilities for F5 BIG-IP ASM, Fortinet FortiWeb and Imperva SecureSphere WAF.
Sending Vulnerabilities to an Issue Tracker
For a developer, vulnerabilities are considered as bugs in the web application. Acunetix provides to means to send the vulnerabilities to the issue tracker used by the organisation, allowing for better tracking of vulnerabilities by the development team.
You will first need to configure the issue tracker in the Acunetix settings, and assign the Issue Tracker to the Target. You will then be able to send vulnerabilities detected for the specific Target to the Issue Tracker.
Acunetix supports GitHub, Jira and Microsoft TFS issue trackers
When a vulnerability has been fixed, you can have Acunetix confirm the fix by selecting the vulnerability and clicking on the Retest option. This will create a new scan using a custom scanning profile restricted to the specific vulnerability.
Vulnerabilities detected by Acunetix remain in the vulnerabilities list until they are marked as not open. You can remove vulnerabilities from the list of open vulnerabilities by marking them as:
Fixed - This status is given to vulnerabilities that are fixed by the developers. If the vulnerability is found again by Acunetix, the vulnerability will be re-opened, and marked as Rediscovered
False Positive - There are situations where a vulnerability is incorrectly detected by Acunetix. The vulnerability will not be reported again in future scans.
Ignored - This status can be used for vulnerabilities which are not False Positives, but which for some reason should be ignored in future scans.
Vulnerabilities marked as False Positives or Ignored can be re-opened manually at any time.