Introduction
When building FractalScan, something we have always felt strongly about is ensuring we present accurate results, which also takes into account factors you can’t see on the surface. Some scenarios can be more challenging than others, especially if it becomes a choice between showing a potentially serious risk or not.
Apache backports (see below) is one such scenario… But we are excited to introduce a new feature in FractalScan that clearly highlights the impacted risks, and allows you to choose if these risks are included in your scans results.
You will see this feature when creating or editing scans and if you have any Apache CVEs in existing scans.
Understanding Apache backports
Apache backports are software updates common to Linux distributions, that apply the latest security patches to previous versions of the Apache web server, but don’t result in updating the version. While they are essential for maintaining security in legacy systems, they present unique challenges in attack surface management.
Although attack surface monitoring tools can correctly detect the installed version of Apache from a web request header, any applied backported security patches can’t be detected.
Managing backport resolvable risks
Our new feature will show on any scans with Apache CVE risks, and allows you to manage how they are shown.
From scan settings you can choose to exclude or include the risks and actions associated with Apache components in your scan’s results.
If you know that backported security patches are being applied to the instances of Apache in your scan, you can choose to remove the associated risks from the scan’s scope. The versions of Apache will still be shown in your scan, and anyone viewing the scan can see that Apache CVE risks have been excluded, ensuring the state is clear for all users.
If you don’t know if backported security patches are being applied, then we’d recommend leaving the CVE risks as included, which is the default behaviour.
How does it work?
By default when creating a new scan, risks that are backport resolvable will remain in scope. These risks will be highlighted on the Risks widget on the Overview page of your scan.
Throughout your scan’s pages, Apache components and their associated risks or actions will display the backport resolvable risks icon.
For example, on the Risks page, you can see the backport resolvable Apache components.
On relevant pages in FractalScan, such as the Explore pages for Apache components, you will also see a short description of backporting.
Excluding risks
If you wish to remove the risks from the scope of your scan, navigate to the settings menu and toggle off the Include Apache backport resolvable risks option.
When you change this setting risk results will be immediately updated, but Actions and Checks are recalculated, and may take a few seconds to update in the app.
The changes will be saved for all users of the scan, and the backport resolvable risks will no longer count to your scan’s risk or health results, or be visible in the reports.
Excluding backport risks will also resolve any Actions which contain these risks.
Where to see excluded risks
The Apache backport resolvable risks can still be viewed on the scan’s Out of Scope page. If you want to revert the setting to include the risks again, you can simply change the setting above.
For more details, please refer to our user guide documentation.
Conclusion
Enabling you to choose how to manage Apache CVE risks, ensures that your risk results remain accurate whilst taking into account your knowledge of the attack surface. We will continue to add new functionality to enable you to manage your scans’ results and ensure we can help you focus on and resolve the most important risks.
If you have any feedback on this feature, we’d love to hear from you, please contact us via the in-app contact form.