Introduction
April has been another busy month for the ASM team, with more context added to risk remediation advice, more data available via the API and more support for risks managed by backporting.
We also wanted to use this month’s blog to let you know about some upcoming changes that could impact your results. We’ll be reducing duplicate findings from Cloudflare-hosted sites from 1st June - you can read more about that below.
Improving risk descriptions
We have improved some of our risk descriptions to include contextual information to help you understand and remediate any risks you have on your scan.
When looking at an Explore page for a Risk, there is a new Assets Affected widget. This shows all the assets that are affected by the risk along with the severity. Where you can expand the affected asset, some risks will now provide you with contextual information about the risk. Here are a few examples:
Where an SPF record has been captured, and a risk identified - we now show the SPF record along with a description of what should be addressed.
Where a scan has identified an expired certificate, we now show the date of expiry along with a link to the offending certificate and the service, which is hosting the certificate.
Where a service supports a vulnerable TLS protocol, all the supported protocols are shown in the risk description.
These risk description improvements are also displayed on the Risks and Health page.
OpenSSL backporting option
We’ve extended our existing backporting capability, which initially just covered Apache, to also cover OpenSSL, as OpenSSL can also be patched using backported security patches. Although Hexiosec ASM can correctly detect the installed version of OpenSSL from a web request header, any applied backported security patches can’t be detected using our non-intrusive techniques.
In the scan settings, you can choose to exclude all OpenSSL risks that could be resolved by backporting.
New Domain properties on the API
We have extended the domains scan data endpoint to include more properties. This includes mail properties, like your DKIM and SPF records, and also your security.txt file.
This means even more properties that are available in the app, are now reflected in our API for you to access.
The updated definition of the domains endpoint can be viewed in our API documentation.
Coming on 1st June: reducing duplicate findings from Cloudflare-hosted sites
During a scan, we check for web services over both HTTP and HTTPS on discovered domains. We also probe ports 8080 and 8443, which are commonly used for development or alternative web services.
In some cases, particularly with sites behind Cloudflare, these ports return the same content as standard web ports. This can result in duplicate findings where a single issue is reported more than once.
To reduce this noise, from 1st June 2026 we will disable enumeration of ports 8080 and 8443 for sites identified as being behind Cloudflare.
This change will help ensure scan results are clearer and more meaningful. You may notice a reduction in duplicate findings as a result.
What’s next
We’re continuing to review how other CDN providers handle these ports. Further improvements may follow, and we’ll communicate any additional changes in advance.
Our goal is simple: accurate results with minimal noise.
If you have any questions or concerns about this change, please get in touch.
Coming soon
We’ve got some exciting features coming over the next couple of months. Please get in touch if there are any features you would like to see us add to our roadmap.
-
Tags for results - when a scan produces a large number of results, it can be difficult to manage and prioritise them effectively. We’ll be introducing tagging, allowing you to organise results, filter more easily, and focus on what matters most.
-
Supply chain risk management - while Hexiosec ASM already supports scanning your supply chain, we are making some exciting changes to how you can view and manage the risks associated with your supply chain. This includes a dashboard to allow you to view suppliers side by side, and a number of new meaningful metrics which will allow you to really understand the security posture of your supply chain, rather than hiding behind an opaque risk score.
Related Posts
