Interpreting Scan Results

How to get the most out of the Crashtest Security Scan Results

Our software provides three views to give you the most relevant information on your projects.

Home

Frame 12

This is the landing page when you log in to the application. It is also called the dashboard, as it gives you the most relevant information on a high level for all your projects.

At the top, the screen shows the number of findings by criticality for all your projects.
We rate our findings according to the Common Vulnerability Scoring System (CVSS). More information on the scoring system can be found here.

Below, you see a list of your projects, including the type of scan, as well as the last scan time.

The status dot at the left side of the row indicates the current state of the scan. When you hover the mouse over the dot, you see the current status.

If you want to add more projects, simple click the yellow "+"-button on the bottom right of the project list.

On the bottom of the page, you see the details of the last scan you ran, with the project name on the top. This gives you direct access to the most current vulnerabilities for quick fixing. The findings are sorted by criticality, with the most critical finding at the top. 

You can see more details per project when you click on a project row. 

Project Overview

Scan Results - Project View

Our software provides an overview over the history of scans per project - and ideally the increased security (meaning fewer vulnerabilities) - over time.

On the top, you can see a visual representation of the past scans. The bars show the number of findings per scan, as well as the number and date of the scan. The findings are grouped by severity as indicated by the color scheme directly below the graph. You can click on the respective bar to jump to the specific scan view.

In the top right, you see the buttons for the general project actions and settings: 

  • "Start Scan": Starts a manual scan
  • "Preferences": Lets you change the project settings.
    These are described in continuous security testing setup.
  • "Delete": This will delete the project.
    Attention: This will also delete the scan history. Make sure you downloaded all documents you will need in the future.

Below the graph, you see a list of all scans, including the status, the type of scan, and the last scan time.

By clicking on a scan row or the respective bar in the graph, you will get to the overview over one scan. 

Scan Details

Scan Results - Individual Scan Status

The scan details page gives you an overview over the specific scan results.
After a scan has been started, you can see the findings appear in the findings list in real-time.

The top left box gives general information, such as the scanned URL, the type of scan, the time when it was started, how the scan was started, and the duration. For more information on the individual items, you can hover the mouse over them.

The options for the scan start include "Manual", "Scheduler", or "Webhook". For more information on the settings for the scan start, please see continuous security testing setup.
This box also gives you the option to go quickly to a different scan number for the same project with the buttons at the bottom - or you can enter a specific scan number in the text field.

The top middle box is a pie chart to add a visual representation of the number of findings, grouped by severity.

The top right box shows the maximum CVSS severity.

The top right corner shows the different options to download the report for this specific scan: either in .pdf format or in the machine readable J-Unit format.  

The bottom box has two tabs - finding details or the status of the individual scanners.

The screenshot above shows the second tab for the bottom box.
Here, you can see the individual scanner status for this scan and any detailed information in case the scanner was not able to run. The screenshot shows that for the Cross-Site Request Forgery (CSRF) scanner to be executed, you would need to configure the application credentials in the project setting (see continuous security testing setup on how to do that).

Scan Results - Individual Scan Findings

The finding details are shown on the screenshot above.

It shows the title of the vulnerability scanner, the detailed information of the vulnerability we found, and the criticality, from left to right.
The standard sort is by severity, but you can change that by clicking on the respective column header - for example if you would like to find all SQL Injection vulnerabilities next to each other.

You can also filter for the scanner title or for a specific description content (i.e. "certificate" for SSL certificate vulnerabilities).

Frame 11

To get further information about a vulnerability simply click on its name. This opens an overlay with an additional description. To get advice on remediation of the vulnerability click on the provided link “How to fix this issue?”. This will lead you to our knowledge base with detailed explanation on the issue and how to fix it.

 

The next step on your journey to agile security testing is to set up the invasive testing mode. This allows you to test for a wider range of security vulnerabilities .

invasiveScanning-1

 

Alternatively, you can configure the continuous testing settings. Sit back, relax, and let our automation do all the work.

continuoustesting-1