Fortinet black logo

User Guide

22.2.0
22.3.0
22.2.0

Viewing the Scan Result

Viewing the Scan Result

The FortiDevSec scan result for application vulnerability scanning is populated in a comprehensive dashboard that provides an insight into the scanned applications categorizing the findings based on the scanners used with the calculated risk rating indicators. You can view the detected vulnerabilities' details per application.

The dashboard Summary panel displays a gist of the scanned applications that include categorization of the applications scanned as per the assigned risk rating, the number of findings to review, the number of applications not scanned in the current week, and the overall average risk rating of the applications scanned. The top 5 OWASP and SANS categories are displayed along with the vulnerability counts for the entire organization.

Viewing Scanned Applications

The application panel lists all the scanned applications with basic details. Consider this example screenshot from the dashboard.

You can analyze the following information specific to each application.

  • The number of vulnerabilities found by each scanner type, in this case, 6423 vulnerabilities are found by SAST and 163 by SCA. Click on the legend for each scan type to view the categorization of the findings by their severity.
  • The risk rating assigned by FortiDevSec for this application.
  • The total number of vulnerabilities detected.
  • The vulnerability counts for both OWASP and SANS categories.

Click on the application name or the number of vulnerabilities to view scan details.

Viewing Scanned Application Details

In this panel details such as, the scanner types used with a break-up of the number of vulnerabilities found by each scanner and the associated risk rating are displayed. In this example, there are a total of 6608 vulnerabilities found and categorized based on the scanners that detected them.

  • Click on the number of vulnerabilities for any scanner type to view the specifics.
  • You can filter the vulnerabilities based on OWASP and SANS categorization.
  • Click View All to view details of all vulnerabilites detected.

  • Modify Risk Rating - You can modify the risk rating settings for the application on this page, click Set Rating Factors.
  • Jira Plugin - You can enable and configure JIRA integration with FortiDevSec, click Plugins.
  • Scan History - You can view the scan history of the application such as the type of scanners used for various scans, the scan duration, total number of vulnerabilities found, and the associated risk.

Scan details are listed in the panel on the right side.

The displayed application related data includes the number of files and lines of code scanned, scanner types used, the App ID and organization ID, and the time when the application was added and last scanned. Click Scanner Config to download the fdevsec.yaml file.

  • Modify App ID - You can modify the application ID, the new ID is displayed in this Details panel instantly. Ensure that you update the modified application ID in any existing fdevsec.yaml file.
  • Deactivating/Deleting the Application - You can deactivate an application wherein no modification is allowed to the application vulnerability findings but you are allowed to view them. You can delete an application from the dashboard only after deactivating it.
Viewing Vulnerabilities

All vulnerabilities are listed in this panel along with the associated source file name and the line number (SAST)/URL (DAST) and the assigned severity. The vulnerabilities are categorized as Active and Closed.

  • Active vulnerabilities are those that are currently present in your application. In this case, there are 580 active vulnerabilities.
  • The vulnerabilities for each scanner type display the number of Unique vulnerabilities. A unique vulnerability indicates the type of vulnerabilities, that is, the vulnerability can have multiple instances but it is counted only once here.
  • You can manually Sync the vulnerabilities from the JIRA plugin for each application.

Modifying the Vulnerability Status

You can modify the status of each vulnerability or of all vulnerabilities, select Select Multiple and set the status.

The following status types are supported.

  • New: This is a new vulnerability detected by the scan.
  • Confirmed: This is a real vulnerability and requires a fix.
  • In Review: This vulnerability is currently in review/looked into for further action.
  • Reviewed: This vulnerability review is complete.
  • Reopened: This is a fixed vulnerability detected again in the rescan and requires to be addressed.
  • Fixed: This vulnerability is fixed and does not appear in the next scan result.
  • Risk Accepted: This vulnerability is an accepted risk and continues to exist without any potential damage.
  • False Positive: This vulnerability is a potential flaw in the scanner or is indicative of a unique feature of the application.
  • Removed: This vulnerability is overlooked in the application.
Viewing Vulnerability Details

Click on the vulnerability name to view all details associated with each finding.

  • The details displayed are the risk rating (severity) assigned by FortiDevSec.
  • The associated file and the line number that the vulnerability is found in.
  • The Issue description and the associated CWE (if any). Click on the CWE link to view details.
  • The associated OWASP Top10 or SANS Top 25 category.
  • The number of Similar Occurences that it is found in, click on each instance to view details. Click to expand each of the instance.
  • The history of the vulnerability is also displayed that includes the time of its first and last appearence.
Applying Dasboard Filters

You can filter the displayed findings based on specific criteria. The following filters are available on the left-side panel of the dashboard.

  • Calculated Risk Rating - Filtered based on the assigned risk rating.
  • Status - Filtered based on the status.
  • Category - Filtered based on the specific application.
  • Files - Filtered based on the specific files.
  • Directory - Filtered based on the specific directories.

Previous
Next

Viewing the Scan Result

The FortiDevSec scan result for application vulnerability scanning is populated in a comprehensive dashboard that provides an insight into the scanned applications categorizing the findings based on the scanners used with the calculated risk rating indicators. You can view the detected vulnerabilities' details per application.

The dashboard Summary panel displays a gist of the scanned applications that include categorization of the applications scanned as per the assigned risk rating, the number of findings to review, the number of applications not scanned in the current week, and the overall average risk rating of the applications scanned. The top 5 OWASP and SANS categories are displayed along with the vulnerability counts for the entire organization.

Viewing Scanned Applications

The application panel lists all the scanned applications with basic details. Consider this example screenshot from the dashboard.

You can analyze the following information specific to each application.

  • The number of vulnerabilities found by each scanner type, in this case, 6423 vulnerabilities are found by SAST and 163 by SCA. Click on the legend for each scan type to view the categorization of the findings by their severity.
  • The risk rating assigned by FortiDevSec for this application.
  • The total number of vulnerabilities detected.
  • The vulnerability counts for both OWASP and SANS categories.

Click on the application name or the number of vulnerabilities to view scan details.

Viewing Scanned Application Details

In this panel details such as, the scanner types used with a break-up of the number of vulnerabilities found by each scanner and the associated risk rating are displayed. In this example, there are a total of 6608 vulnerabilities found and categorized based on the scanners that detected them.

  • Click on the number of vulnerabilities for any scanner type to view the specifics.
  • You can filter the vulnerabilities based on OWASP and SANS categorization.
  • Click View All to view details of all vulnerabilites detected.

  • Modify Risk Rating - You can modify the risk rating settings for the application on this page, click Set Rating Factors.
  • Jira Plugin - You can enable and configure JIRA integration with FortiDevSec, click Plugins.
  • Scan History - You can view the scan history of the application such as the type of scanners used for various scans, the scan duration, total number of vulnerabilities found, and the associated risk.

Scan details are listed in the panel on the right side.

The displayed application related data includes the number of files and lines of code scanned, scanner types used, the App ID and organization ID, and the time when the application was added and last scanned. Click Scanner Config to download the fdevsec.yaml file.

  • Modify App ID - You can modify the application ID, the new ID is displayed in this Details panel instantly. Ensure that you update the modified application ID in any existing fdevsec.yaml file.
  • Deactivating/Deleting the Application - You can deactivate an application wherein no modification is allowed to the application vulnerability findings but you are allowed to view them. You can delete an application from the dashboard only after deactivating it.
Viewing Vulnerabilities

All vulnerabilities are listed in this panel along with the associated source file name and the line number (SAST)/URL (DAST) and the assigned severity. The vulnerabilities are categorized as Active and Closed.

  • Active vulnerabilities are those that are currently present in your application. In this case, there are 580 active vulnerabilities.
  • The vulnerabilities for each scanner type display the number of Unique vulnerabilities. A unique vulnerability indicates the type of vulnerabilities, that is, the vulnerability can have multiple instances but it is counted only once here.
  • You can manually Sync the vulnerabilities from the JIRA plugin for each application.

Modifying the Vulnerability Status

You can modify the status of each vulnerability or of all vulnerabilities, select Select Multiple and set the status.

The following status types are supported.

  • New: This is a new vulnerability detected by the scan.
  • Confirmed: This is a real vulnerability and requires a fix.
  • In Review: This vulnerability is currently in review/looked into for further action.
  • Reviewed: This vulnerability review is complete.
  • Reopened: This is a fixed vulnerability detected again in the rescan and requires to be addressed.
  • Fixed: This vulnerability is fixed and does not appear in the next scan result.
  • Risk Accepted: This vulnerability is an accepted risk and continues to exist without any potential damage.
  • False Positive: This vulnerability is a potential flaw in the scanner or is indicative of a unique feature of the application.
  • Removed: This vulnerability is overlooked in the application.
Viewing Vulnerability Details

Click on the vulnerability name to view all details associated with each finding.

  • The details displayed are the risk rating (severity) assigned by FortiDevSec.
  • The associated file and the line number that the vulnerability is found in.
  • The Issue description and the associated CWE (if any). Click on the CWE link to view details.
  • The associated OWASP Top10 or SANS Top 25 category.
  • The number of Similar Occurences that it is found in, click on each instance to view details. Click to expand each of the instance.
  • The history of the vulnerability is also displayed that includes the time of its first and last appearence.
Applying Dasboard Filters

You can filter the displayed findings based on specific criteria. The following filters are available on the left-side panel of the dashboard.

  • Calculated Risk Rating - Filtered based on the assigned risk rating.
  • Status - Filtered based on the status.
  • Category - Filtered based on the specific application.
  • Files - Filtered based on the specific files.
  • Directory - Filtered based on the specific directories.

Previous
Next