Introduction
We have a number of updates to highlight for you this month, ranging from web component detections to user preference improvements.
Read below for details on the following:
- Detection of the Hunk companion Wordpress plugin
- Configurable user session timeouts (Enterprise)
- Improvements to user preferences navigation
- ‘Last active’ data for organisation users
- End of scan actions link
- New options to control table data views
Detection of the Hunk Companion Wordpress plugin
In December 2024, a critical vulnerability was discovered for the Hunk Companion Wordpress plugin. It can be difficult to stay on top of the latest vulnerabilities, especially if you can’t monitor the latest cyber security news all the time. Thankfully ASM continuously monitors your public infrastructure for you, alerting you to new risks.
We’ve updated our discovery capability, which now includes the detection Hunk Companion Wordpress plugin.
Am I impacted? At the time of writing, the December CVE (CVE-2024-11972) is still awaiting analysis by NIST, but guidance is to update to the latest version. You may be impacted if running a version before v1.9. If you are using Wordpress you can easily check if you’re impacted by searching for ‘Hunk’ in the component widget on the Overview page, which will show if it has been discovered and the version. You will also see if it is impacted by any existing CVEs.
When the NIST analysis of the new CVE is complete, ASM will automatically raise risks and, if notifications are enabled, you would receive an alert if impacted. Our FAQs page provides more detail.
Configurable user session timeouts
The following is available for our Enterprise and MSP customers, if you’re interested please get in touch.
Based on our own guidance (from our Services team), we’ve adjusted the default user session timeouts. Your ASM account will be logged out after 14 days if you are routinely active, or 7 days if inactive.
If you require shorter timeouts, we can now adjust the two values (total lifetime and idle lifetime) per organisation. This allows you to align ASM account use with your own internal security policies.
I won’t include a gif of a user logout, use your imagination.
MFA status and user preference updates
If you are using SSO, then MFA status won’t be shown as this is handled by your SSO provider.
We always recommend securing your ASM account with MFA and we’ve made some menu adjustments to help you do this. From your user menu, you will now clearly see your MFA status.
If MFA is not setup, clicking on the status will take you directly to the account management pages where you can use an authenticator app to setup MFA.
If MFA is setup, then you can still follow the status link to setup a new MFA token.
For all other account preferences, including MFA, you can use the updated ‘Account & preferences’ menu item to go to a single one stop shop for all your user preferences needs.
From here you can manage your account and credentials, as well as any ASM preferences, such as notification choices.
Other improvements
A few other app improvements to help you get the most from your account:
- To help understand risks found in a new scan, the end of scan pop-up now includes a link straight to the Actions page.
- To give you more control over data you see, various tables in the app (e.g. scans, domains) now include options to choose columns and adjust table width. This also allows us to include more data columns for you.
- To check user activity and access, organisation admins can now see and sort by the ’last active’ date for their users.
- Note - the column is not enabled by default, enable it with column options
Coming Soon
We’re always working on a range of new features, this month we’d like to highlight the following you can look forward to:
- Components Asset Management page - a new asset management page, to help you see all components and their usage in one handy cut out and keep guide (exportable CSV).
- Discovery of Default web server pages - this change will report specifically on where a web server is set up but using the default page for that service, and so likely isn’t being used.
Related Posts
