White shape | Hexiosec Logo

New ASM Feature - Apache Backports Reporting

Tim Cowell
31 August 2024
|
4 min Read
|
Tim Cowell

Introduction

When building Hexiosec ASM, something we have always felt strongly about is ensuring we present accurate results, which also takes into account factors you can’t see on the surface. Some scenarios can be more challenging than others, especially if it becomes a choice between showing a potentially serious risk or not.

Apache backports (see below) is one such scenario… But we are excited to introduce a new feature in Hexiosec ASM that clearly highlights the impacted risks, and allows you to choose if these risks are included in your scans results.

You will see this feature when creating or editing scans and if you have any Apache CVEs in existing scans.

Understanding Apache backports

Apache backports are software updates common to Linux distributions, that apply the latest security patches to previous versions of the Apache web server, but don’t result in updating the version. While they are essential for maintaining security in legacy systems, they present unique challenges in attack surface management.

Although attack surface monitoring tools can correctly detect the installed version of Apache from a web request header, any applied backported security patches can’t be detected.

Managing backport resolvable risks

Our new feature will show on any scans with Apache CVE risks, and allows you to manage how they are shown.

A view of components with Apache risks

From scan settings you can choose to exclude or include the risks and actions associated with Apache components in your scan’s results.

If you know that backported security patches are being applied to the instances of Apache in your scan, you can choose to remove the associated risks from the scan’s scope. The versions of Apache will still be shown in your scan, and anyone viewing the scan can see that Apache CVE risks have been excluded, ensuring the state is clear for all users.

If you don’t know if backported security patches are being applied, then we’d recommend leaving the CVE risks as included, which is the default behaviour.

How does it work?

By default when creating a new scan, risks that are backport resolvable will remain in scope. These risks will be highlighted on the Risks widget on the Overview page of your scan.

Risk counts which include backport risks

Throughout your scan’s pages, Apache components and their associated risks or actions will display the backport resolvable risks icon.

Icon shown for backport risks

For example, on the Risks page, you can see the backport resolvable Apache components.

Risks page showing backport resolvable risks

On relevant pages in Hexiosec ASM, such as the Explore pages for Apache components, you will also see a short description of backporting.

Image of descriptive backport text in the application

Excluding risks

If you wish to remove the risks from the scope of your scan, navigate to the settings menu and toggle off the Include Apache backport resolvable risks option.

Image of a settings page for a scan

When you change this setting risk results will be immediately updated, but Actions and Checks are recalculated, and may take a few seconds to update in the app.

The changes will be saved for all users of the scan, and the backport resolvable risks will no longer count to your scan’s risk or health results, or be visible in the reports.

Risks counts without backport risks

Excluding backport risks will also resolve any Actions which contain these risks.

Where to see excluded risks

The Apache backport resolvable risks can still be viewed on the scan’s Out of Scope page. If you want to revert the setting to include the risks again, you can simply change the setting above.

Backport resolvable risks that have been removed from scope

For more details, please refer to our user guide documentation.

Conclusion

Enabling you to choose how to manage Apache CVE risks, ensures that your risk results remain accurate whilst taking into account your knowledge of the attack surface. We will continue to add new functionality to enable you to manage your scans’ results and ensure we can help you focus on and resolve the most important risks.

If you have any feedback on this feature, we’d love to hear from you, please contact us via the in-app contact form.

About Tim Cowell
Tim is an experienced software engineer, who has worked across the Defence, Government and Commercial sectors for the past 21 years. After leading a diverse range of projects Tim has a strong background in Cyber Security, software engineering, research and development practices.
Tim Cowell