White shape | Hexiosec Logo

New ASM Features and Improvements | January 2023

Tim Cowell
9 February 2023
|
4 min Read
|
Tim Cowell

Introduction

Hexiosec ASM’s development team have started 2023 with some great new features and updates to existing functionality. As well as updates available now, we have some exciting new features in progress, which you can expect to see soon. Read on to find out more.

Risks over time

Being able to see how many risks there are over time provides an important insight into the state of your infrastructure and can highlight significant changes and trends. Hexiosec ASM already provides risk counts in the reports it generates, and this is also now available in the app.

Risk counts let you see the impact of resolving individual risks or can highlight new issues with your attack surface. The risk chart shape can indicate a change to the configuration of a web server (e.g. Nginx), against which Hexiosec has identified risks, or a decrease can show when an update to server has removed risk associated with a vulnerable version.

You will now find a “Risks over time” option on the Risks page, which shows how the counts of risks of each severity have changed over time. The time range for the chart can be changed, and the chart will use the any filter you have applied to the risks, allowing you to focus in on the risk categories or severities you are interested in.

Risks over time graph

The chart is available to any scan which has run more than once, such as an Own Asset Monitoring scan, or an Ad hoc scan which has been refreshed. The points on the chart indicate when a scan’s iterations ran, enabling you to use the Changes page to focus in on what changed.

Report time zones

A relatively subtle change but one which we know many of our users will find useful. Hexiosec reports can now be generated for a selected time zone (by default, your local time zone), and all dates and times in the report will be presented in this time zone.

Reporting time zone

If you are intending to share a report with someone or an organisation in a different part of the world, you can choose to generate the report for this time zone as well.

Boa web server detection

Our lead engineer for Hexiosec, Lauren, has already written about this in another blog, but some things are worth mentioning twice!

In a recent survey by Microsoft, they found that the previously popular, but now discontinued web server, Boa, is still in use on many IoT devices. The Boa Web Server won’t be getting any more security updates and has known CVEs associated with it, putting infrastructure at risk.

The good news, Hexiosec can identify Boa if you have it in your attack surface. See Lauren’s Boa web server blog for more details.

Mail risks (SPF) update

Security guidance is always changing with new risks and technology changes, and we always aim to keep Hexiosec up to date with the latest recommendations.

In line with our own updated guidance and that from M3AAWG (Messaging, Malware and Mobile Anti-Abuse Working Group), we are now recommending that Sender Policy Framework (SPF) mail records use a policy of soft fail ~all over hard fail (or fail) -all. This all field instructs the recipient of an email purporting to be from your domain, how to deal with it if no sending source is not named.

This guidance may seem counter intuitive as hard fail could be seen as the more robust security approach, however setting hard fail can leave to deliverability issues, and on its own may not offer the protection expected. The recommended approach is to use soft fail and combine this with DMARC (and DKIM). To find out more about SPF and how to secure your email domains, see Scott’s blog..

Hexiosec will now show mail domain SPF records with hard fail as a medium risk.

SPF failing risk notification

Coming soon

As well as updates to Hexiosec’s processes and performance, we’re working on new features you can expect to see in the coming months.

  • Highlight actively exploited CVEs: CISA (Cybersecurity & Infrastructure Security Agency) publishes a regularly updated list of vulnerabilities known to be actively exploited by malicious actors. Hexiosec will be using this list to highlight if it has found a component vulnerable to an exploited CVE.
  • Grouping risks into actions: To enable organisations to manage large numbers of risks more effectively, Hexiosec will soon be presenting a new feature which allows you to see related risks grouped by domain or component. For example, all your CSP risks for a single domain (example.com) will be manageable and tracked together as one action.
  • Public API: We recognise than many users would like to interact with Hexiosec in an automated way which allows it to be driven by or input data into other systems. We’ll soon be presenting a first version of a public API to enable scripted and automated interactions, facilitating integrations with your other tools.
About Tim Cowell
Tim is an experienced software engineer, who has worked across the Defence, Government and Commercial sectors for the past 21 years. After leading a diverse range of projects Tim has a strong background in Cyber Security, software engineering, research and development practices.
Tim Cowell