The "register" lists the web applications, interfaces, web servers without applications and non-active web servers that can be connected to the organization, indicating for each one:
- Application: indicates the resource (web application, API or web server) displayed on the web.
- Risk: indicates the level of global risk associated with this application on the web for the organization's business.
- Expiration of SSL Certificate
- WEB and TLS/SSL: safety tests expressed with a synthetic value that takes into account a complex analysis of the individual values found.
Each application detected corresponds to a detail sheet, shown in the following figure.
We do not consider it useful to comment on each field, widely covered in the report, but it may be useful to make some remarks.
It lists the software used for the development of the site that is visible from the outside (fingerprinted software) and in version number, a very important data to check if the software is updated to the latest versions.
The indication whether or not the fingerprinted software is updated to the latest available version is important, because it can be used by potential attackers. On the other hand, the prompt updating of the software is one of the main obligations that must be fulfilled in order not to incur liability in case of violation.
TLS/SSL safety test
Indicates the result of the test performed on the cryptographic protocols used by the resource in question, in the same way as widespread security standards (PCI DSS, NIST, HIPAA, industry best practices). The ranking ranges from A (maximum security), B (less security), C (insufficient security) to F (critical insecurity).
Security levels depend on many factors, such as the reliability of the certificate underlying the encryption, the protocols used, the possible presence of known vulnerabilities and the implementation of measures to avoid abuse.
Website security test
Indicates the result of the test performed on the web resource according to widespread security standards (PCI DSS, NIST, HIPAA; industry best practices). The ranking ranges from A (maximum security), B (less security), C (insufficient security) to F (critical insecurity).
Security levels depend on many factors, such as the correct update of the software used, the configuration of http security headers and the possible presence of a WAF (Web Application Firewall) to filter, monitor and block HTTP traffic to and from a web application, the possible presence of known vulnerabilities.