Introduction
The development team has been busy again this month, with a focus on how you assess risk and manage your seed data. Here’s a look at what’s new in Hexiosec ASM this July:
- EPSS scores & Risks
- Multi-seed imports
- Glance at next run date
- Additional filters for Risk graphs
- CSP changes
Additionally, I joined Hexiosec in July as a Junior Software Engineer! Although it’s only been a month I’ve contributed quite a few features in this blog 😊. Grateful for the team’s support, and excited for what’s ahead in Hexiosec ASM!
EPSS scores in Risks
One of the most visible additions this month is the inclusion of EPSS data throughout Hexiosec ASM. EPSS stands for Exploit Prediction Scoring System and is a set of CVE metrics produced by the Forum of Incident Response Teams (FIRST).
EPSS scores and percentiles show you insight into how likely a CVE is to experience exploitation activity in the next 30 days, and how it ranks across all known CVEs. The score updates regularly and will be refreshed every time a scan runs.
EPSS data can be viewed on the Risks page via the new EPSS score and optional percentile columns, and by expanding the row on vulnerability risks and selecting the EPSS tab. The value in the EPSS column can also be clicked as a shortcut to this tab.
There is also a new Vulnerabilities widget on the Overview page which features EPSS scores alongside severity and an indicator of known exploits, giving you a high-level view before drilling down into the scan results.
The Actions page features a maximum EPSS score alongside Actions that relate to resolving vulnerabilities, such as component updates.
For more information, you can read our documentation on EPSS scoring.
The introduction of EPSS data is designed to help you prioritise CVEs, particularly when faced with a long list of known vulnerabilities. Coming soon to our website is a blog about how to use Hexiosec ASM and EPSS results to prioritise remediations, look out for this on our website and LinkedIn.
Continuous scans will receive up-to-date EPSS scores automatically, but scans last run before July 2024 won’t include EPSS results, unless they are rescanned. As with all scan results, the EPSS results shown in scans reflect the EPSS scores and other data at the time the scan was run.
EPSS scoring is not available to all tiers, please contact us if you would like to discuss adding this feature to your Hexiosec ASM account.
Multi-seed import & location change
We’ve introduced a faster way to work with seeds: you can now add multiple seeds at once. The updated seed input form supports common delimiters, making it easier to paste in from your existing tooling or spreadsheets. To keep things easier to find, the seed management has moved from the bottom of the scan overview page to a new home under Settings → Seeds.
In its place on the Overview page is a simplified summary widget that displays your currently configured seeds.
Glance at next run date
We’ve added an optional column to the Scans page that shows the next scheduled scan time. This is particularly useful if you’re working with recurring scans and want quick confirmation of when a scan will update next.
The time shown will reflect what you already see in the sidebar when you explore a specific scan — if you’d like to include the next run date it can be enabled in the table options.
Additional options for Risk graphs
We’ve also made some quality-of-life improvements to the Risks graph:
- On the Overview page the Risks Over Time widget now supports a “Last Week” filter to narrow the view to just recent data.
- On the Risks page the larger Risks Timeline now includes an “All Time” filter to show historical trends across your entire scan history.
These filters give a better contextual timeframe to quickly see last week’s results, or view an entire historical timeline of the risks.
CSP changes
As part of our continued improvements to Hexiosec ASM, we’ve updated our Content Security Policy (CSP) checks. The platform now includes checks for the ‘unsafe-hashes’ directive, providing deeper insight into CSP configurations.
Additionally:
- The legacy checks for ‘unsafe-inline’ and allowlist fallback CSPs have been removed.
- The severity of Trusted Types CSP findings has been adjusted and is now categorized as low risk.
These changes ensure that Hexiosec ASM provides more relevant and actionable information, aligning with current CSP best practices, an in-depth blog regarding CSP changes is coming soon.
Other improvements
We’ve added an optional column “Due Date” to the Actions page, which allows you to see when a particular action is due.
Coming soon
We’re working on features to bring new functionality to Hexiosec ASM, which include:
- TLS version checks: Add TLS version checks to our existing TLS checks, including new risks if old versions of TLS are offered, e.g. TLS 1.0.
- Detecting Subdomains under risk: Enable users to detect subdomains that are vulnerable to takeover.
- Quality of life updates to CSP and headers.
Related Posts
