With the discharge of Acunetix Commonplace and Acunetix Premium model 23.8.0 comes the addition of essential severity as a brand new vulnerability classification.
What’s altering?
Our vulnerability classification system (Excessive-Medium-Low) is increasing to incorporate a fourth risk degree — Essential Severity. From 5 September 2023, you’ll discover Essential Severity and Menace Stage 4 added all through the merchandise.
What you received’t see right away is any change within the product conduct. For now, all essential vulnerabilities stay categorized as Excessive. This consists of current vulnerabilities and newly discovered vulnerabilities. That’s why, for the time being, you’ll see 0 essential vulnerabilities displayed all through the product the place the brand new essential severity class has been added.
A second stage of implementation is deliberate for launch on the finish of September 2023. Presently, we’ll be reclassifying choose vulnerabilities from Excessive to Essential. We’ve intentionally chosen to implement these modifications in two phases in order that our prospects who extract knowledge through APIs have time to replace their scripts earlier than the reclassification comes into impact.
Between now and the tip of September 2023, we encourage all prospects utilizing API integrations or workflows to arrange for the reclassification of choose vulnerabilities from Excessive to Essential. It will require updating scripts to account for the brand new essential severity risk degree. Extra on this beneath.
You will discover the present checklist of all vulnerabilities and their severity classification on our web site. We’ll be updating this checklist with the brand new classifications together with the discharge of v23.9.0 on the finish of September.
Timeline
Why are we making this variation?
At present, Acunetix Commonplace and Acunetix Premium classify all essential degree vulnerabilities as ‘excessive’. This differs from different IT business safety requirements and frameworks, which embrace a ‘essential’ severity score for safety vulnerabilities. By including a fourth ‘essential’ risk degree, we’re bringing each merchandise in keeping with fashionable classification programs, such because the Widespread Vulnerability Scoring System (CVSS).
How do I put together for this variation?
If you happen to leverage our API, we suggest acquiring the newest API documentation and updating your inner scripts that work with knowledge from Acunetix. You possibly can obtain the newest API documentation from the Acunetix person interface by clicking your identify within the top-right nook and deciding on Profile. Then click on the Acunetix API Documentation hyperlink that’s listed within the API Key part of your profile.
Beneath is an inventory of endpoints the place the essential severity degree has been added. For some endpoint responses (e.g. scan-related or vulnerability-related endpoints), essential severity is known as the criticality of a vulnerability. Different endpoint responses, resembling goal or goal group-related endpoints, now embrace severity counts (e.g. criticality=30).
An instance of essential severity within the API documentation.
Endpoints with essential severity added
/config/brokers
/studies
/scans
/scans/{scan_id}
/scans/{scan_id}/outcomes/{result_id}/crawldata
/scans/{scan_id}/outcomes/{result_id}/crawldata/{loc_id}
/scans/{scan_id}/outcomes/{result_id}/crawldata/{loc_id}/vulnerabilities
/scans/{scan_id}/outcomes/{result_id}/statistics
/scans/{scan_id}/outcomes/{result_id}/applied sciences
/scans/{scan_id}/outcomes/{result_id}/vulnerabilities
/scans/{scan_id}/outcomes/{result_id}/vulnerability_types
/scans/{scan_id}/outcomes/{result_id}/vulnerabilities/{vuln_id}
/targets
/targets/add
/targets/cvs_export
/targets/{target_id}
/targets/{target_id}/applied sciences/{tech_id}/vulnerabilities
/target_groups
/target_groups/{group_id}
/target_groups/{group_id}/scan
/vulnerabilities
/vulnerabilities/{vuln_id}
/vulnerability_types
/vulnerability_groups
/me/license/fqdns
/me/stats
/web_assets
/occasions
/notifications
/customers
/user_groups
/roles
An instance of criticality within the API documentation.
FAQs
What is going to occur to my earlier scans?
Nothing modifications along with your earlier scans. All scan outcomes previous to the 28 September 2023 launch will keep as they’re. Solely scans launched after the discharge of v23.9.0. will see vulnerabilities categorised as essential.
Why are you including essential severity?
Essential severity is utilized in different IT business safety requirements and frameworks for score vulnerabilities. Including essential severity brings Acunetix in keeping with fashionable classification programs such because the Widespread Vulnerability Scoring System (CVSS).
Which vulnerabilities have modified to essential?
At present no vulnerabilities have modified to essential. The reclassification of choose vulnerabilities from excessive to essential will happen with the discharge of v23.9.0 on 28 September 2023.
The present checklist of vulnerabilities and their severity classification will likely be up to date and printed on the Acunetix web site with the discharge of v23.9.0 on the finish of September.
What is going to occur to beforehand discovered vulnerabilities? Will they alter to essential?
Beforehand discovered vulnerabilities from a scan launched previous to updating to v23.9.0 will retain their unique severity classification.
Vulnerabilities discovered by a newly launched scan after updating to v23.9.0 will likely be categorised utilizing the brand new risk ranges – essential, excessive, medium, low, and informational.
Get the newest content material on net safety
in your inbox every week.
THE AUTHOR
Anna Wratislav
Senior Technical Author
