This article explains how to get the most out of the Crashtest Security scan results.
Our software provides three views to give you the most relevant information on your projects.
This is the landing page when you log in to the application. It is also called the dashboard, as it gives you the most relevant information on a high level for all your projects.
At the top, the screen shows the number of findings by the criticality of the latest security scan.
We rate our findings according to the Common Vulnerability Scoring System (CVSS) version 3.
Below, you see a list of your projects, including the type of scan and the last scan time.
The status dot on the left side of the row indicates the current state of the scan. You see the current status when you hover the mouse over the dot.
If you want to add more projects, click the yellow "+"-button on the bottom right of the project list.
At the bottom of the page, you see the details of the last scan you ran, with the project name on the top. This gives you direct access to the most current vulnerabilities for quick fixing. The findings are sorted by criticality, with the most critical result at the top.
You can see more details per project when clicking on a project row.
Our software provides an overview of the history of scans per project - and ideally the increased security (meaning fewer vulnerabilities) - over time.
You can see a visual representation of the past scans on the top. The bars show the number of findings per scan and the number and date of the scan. In addition, the results are grouped by severity, as indicated by the color scheme directly below the graph. Click on the respective bar to jump to the specific scan view.
In the top right, you see the buttons for the general project actions and settings:
- "Start Scan": Starts a scan manually
- "Preferences": This button lets you change the project settings.
These are described in a continuous security testing setup.
- "Delete": This will delete the project.
Attention: This will also delete the scan history, so make sure you download all documents you will need in the future.
Below the graph, you see a list of all scans, including the status, the type of scan, and the last scan time.
By clicking on a scan row or the respective bar in the graph, you will get to the overview over one scan.
The scan details page gives you an overview of the specific scan results.
After a scan has been started, you can see the findings appear in the findings list in real-time.
The top left box gives general information, such as the scanned URL, the type of scan, when it started, how the scan was created, and the duration. You can hover the mouse over the individual items for more information.
The options for the scan start include "Manual," "Scheduler," or "Webhook." For more information on the settings for the scan start, please see the continuous security testing setup.
This box also allows you to go quickly to a different scan number for the same project with the buttons at the bottom - or you can enter a specific scan number in the text field.
The top middlebox is a pie chart visually representing the number of findings grouped by severity.
The top right box shows the maximum CVSS severity.
The top right corner shows the different options for downloading the report for this scan: either in .pdf format or machine-readable J-Unit format.
The bottom box has three tabs. Every tab has a notification bubble that shows the total amount of information displayed.
- Findings: This shows all results of the current scan
- Scanner Status: Shows all scanners and how they performed
- Scanned URLs: This shows all URLs that were scanned for vulnerabilities
The finding details are shown in the screenshot above.
It shows the title of the vulnerability scanner, detailed information about the vulnerability we found, and the criticality from left to right.
The standard sort is by severity, but you can change that by clicking on the respective column header - for example, if you would like to find all SQL Injection vulnerabilities next to each other.
You can also filter for the scanner title or a specific description content (i.e., "certificate" for SSL certificate vulnerabilities).
To get further information about a vulnerability, click on its name. This opens an overlay with an additional description. Then, to get advice on remediation of the exposure, click on the provided link "How to fix this issue?". This will lead you to our knowledge base with a detailed explanation of the issue and how to fix it.
Here, you can see the individual scanner status for this scan and any detailed information if the scanner was not run. In addition, the screenshot shows how all scanners were correctly executed.
This tab shows you which pages were detected during crawling and chosen for an additional security scan. We scan all pages to detect interactive elements such as a GET parameter in the URL or a form sent via a POST request. An icon shows whether there was at least one vulnerability detected on that page for every page.
The next step on your journey to agile security testing is to set up the invasive testing mode. This allows you to test for a broader range of security vulnerabilities.
Alternatively, you can configure the continuous testing settings. So please sit back, relax, and let our automation do all the work.