Introduction
Throughout April the engineering team were as busy as always, working on a range of updates to Hexiosec ASM, which include improvements to our web application, scan processing, system metrics and testing. To hear about a couple of the features we’ve released in the last month, as well as a couple of other topics, please read on:
This month I will cover:
- Updated risk change navigation
- An update to our CSP checks
- The impact of the CVE programme funding on Hexiosec ASM, or not
- An update to Hexiosec ASM’s sibling product, Hexiosec Transfer
Navigating risk changes
When you’re reviewing your scan results and any changes, we want to make it as easy as possible for you to understand what’s changed. You may be reviewing historical changes or you may be reviewing the latest changes prompted by an email notification.
The email notification includes a link to the Changes page in Hexiosec ASM, filtered for the relevant changes. For any changes which result in new or removed risks, we’ve added a context menu on the Changes page which links directly to the related Action, and if the risk is new, another option is available to link to the specific risk on the Risks page.
The action link takes you directly to the details of that specific action.
The risks link takes you to a filtered view on the risks page, which makes use of the existing “Source” filter on the risks page. The source filter is a handy way to filter for all risks relating to a specific domain.
Both these new links navigate to pages relating to the specific action or risk for the selected change. This differs from the existing link under the Change column, which takes you to the risk’s Explore page, which is common to all risks of this type. This existing link is absolutely still useful if you want to see the provenance of a risk type across a scan, e.g. all expired certificates in a scan.
Later this month we’re making a further update to this feature for web page related risks, which will also allow you to navigate to the Web Presence page for the source of that risk. Watch this space for more details.
Checking meta tags for CSP
Content Security Policies (CSP) help prevent or minimize the risk of security threats. It sets policies for website code run by a browser, and what it can do. A primary aim of a CSP is to prevent cross-site scripting (XSS) attacks, where an attacker may inject malicious code into a website. Hexiosec ASM already checks websites for the presence of CSPs, and if there is a CSP defined we check this for the recommended configuration.
Typically the CSP for a website is defined in the Content Security Policy response header. However sometimes it isn’t possible or practical to define the CSP here, such as if the website is hosted by an external provider (such as a CDN) who don’t support a CSP. In this instance the CSP can be defined in the http-equiv attribute in your website meta element. The update is that ASM now checks the http-equiv attribute for a CSP as well.
This change went live on the 24th March 2025 (11:03 BST to be precise), and if you’ve had any scans run since then you may have seen a change in results. If you are using the http-equiv attribute for CSPs:
- We will have removed any risks relating to the lack of a CSP
- We may have added risks relating to the CSP found in the
http-equivattribute, if any configuration is not recommended
On the Risks charts in the app, we have added a notation to help you clearly see any risk changes relating to this update.
You can also use the Changes page to view any added or removed CSP risks for the iteration after 11:03 BST on the 24th March.
CVE programme funding
Blink and you might have missed it, but halfway through April you may have seen the news that the Cybersecurity and Infrastructure Security Agency’s (CISA) funding for the CVE programme was about to be cut. The news broke on the 15th April and by midnight the next day all access to the CVE data may have been suspended. It wasn’t clear what state this was going to leave the CVE database in, or what the future held for the programme in general. Cue much online speculation.
Long story short there was a last minute reprieve, and funding was secured for at least 11 months. The CVE programme lives on and updates continue to be available. Hexiosec continue to watch for any updates, and indeed news about the new CVE Foundation.
Would a CVE outage impact my Hexiosec ASM results?
A strength of Hexiosec ASM is that data we gather, including our own workers, is stored and analysed within Hexiosec ASM. This is also true for CVE data. On a daily basis Hexiosec ASM will pull the latest CVE updates from NIST’s National Vulnerability Database (NVD). If access to the NVD had been cut;
- any new scan iterations will have continued to run using the latest update of our CVE data
- any existing scans with CVE results, would not be impacted
- an extended outage may have started to impact some results, but historical CVE data would not be impacted.
Once a scan has run, your scan results are secure, no matter the state of any external data source. We pride ourselves in the reliability of Hexiosec ASM, and a key part of this is having redundancies in place for external data sources. For many asset results, we will have multiple ways to gather data. This is harder with something like NIST’s NVD, which is a unique vulnerability resource used across the cyber security industry. This uniqueness is why we will continue to watch this news, and if necessary will take steps to ensure the results we produce continue to help you secure your public infrastructure.
Also don’t forget, CVEs are only part of the story when it come to the security of your attack surface, alongside email, network and website configurations. Hexiosec ASM continues to include checks across all these risk categories.
Hexiosec Transfer
This month I also wanted to highlight another one of our security products, which is our end-to-end encrypted secure file transfer tool, Hexiosec Transfer.
Our engineering team have also been working hard on adding great new features to Hexiosec Transfer, and have recently updated the existing file sharing request feature. Transfer now supports multi-use sharing requests, meaning users can use the shared link multiple times. Read all about this in Rich’s blog.
Coming Soon
We’re starting work on some significant features this month, which include:
- TLS version checks: Add TLS version checks to our existing TLS checks, including new risks if old versions of TLS are offered, e.g. TLS 1.0.
- EPSS visualisations: To complement our CVE and KEV checks, we’re adding EPSS visualisations, to allow you to search and filter discovered CVEs based on their exploitability.
- More risk navigation options: Navigate to web presence pages relating to changed web risks.
Related Posts
