Vulnerabilities

Vulnerabilities refer to the flaws or weaknesses in your environment that can be exploited. Security Program 360 (SP360) detects these flaws, prioritizes them, and then suggests remedies before these exposures can be or are exploited.

The Vulnerabilities page provides an organized and uniﬁed view of all vulnerabilities across your environment.

DSDS

The upper left corner of the Vulnerabilities page contains a blue box with the number of vulnerabilities meeting your selection criteria.

Filtering and Searching Options, and Action Icons

A dropdown filter at the top of the page allows you to select sets of vulnerabilities based on their asset type (i.e., Web Apps, SAST, Endpoints, and Cloud Agents). The Asset Type filter allows you to select all vulnerabilities or restrict them to only those associated with a selected asset type.

Note: If either Endpoint or Cloud Agent is selected, further filtering is available. Endpoints can be further partitioned to External, Internal or AWS, and Cloud Agents to Servers and Workstations. For example, you can select all Endpoints or just a specific subset of them.

A Search and Filter bar on the far right of the Asset Type filter allows you to select vulnerabilities based on the different attributes defined below. The Search and Filter bar presents a pull-down list of additional filtering options with many containing multi-select capabilities.

Filtering Options

Filter Type	Description
SEVERITY	The SEVERITY of a vulnerability reflects its impact. Several severities can be selected and all those selected will be reflected in the vulnerability count and displayed in the screen. Available severities are: Urgent: Intruders can easily gain control of the asset, which can lead to the compromising of your entire environment's security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors. Critical: Intruders can gain control of the asset, or there may be potential leakage of highly sensitive information. For example, vulnerabilities at this level may include full read access to files, potential backdoors, or a listing of all the users on the host. Serious: Intruders may be able to gain access to specific information stored on the asset, including security settings. This could result in potential misuse of the asset by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.
STATUS	The STATUS of the vulnerabilities. Multiple statuses can be selected, and the count of vulnerabilities displayed and the grid will reflect your selection. However, some options are mutually exclusive, so selecting one will automatically unselect others. The available options are: All: All of the existing vulnerabilities, regardless of state. All Open: Includes the New, Active and Reopened statuses. All Resolved: Includes the Fixed and Ignored statuses. New (Last Scan): Vulnerabilities newly discovered during the last Qualys or SonarQube scan. Active: All vulnerabilities that have been detected for the last two of more scans (i.e., Open, but not New or Reopened). Reopened (Last Scan): Vulnerabilities previously determined to be fixed but that have reoccurred during the last scan. Fixed: All of the fixed vulnerabilities. This means they were previously detected, but are no longer detected. Ignored (All): All of the ignored vulnerabilities. Vulnerabilities can be manually ignored by a user or automatically ignored by the SP360 application. This is noted for each ignored vulnerability. Manual Ignored: Vulnerabilities ignored manually by a specific user, either individually, or as part of a bulk ignore request. Auto Ignored:The SP360 application has rules that result in vulnerabilities being auto-ignored. The two scenarios are: (a) any vulnerability that has not been seen for 30 days, or (b) any asset that has not been reachable for 30 days, at which time the asset is “aged out” and all associated vulnerabilities are ignored. SP360 will warn the users that these expiration dates are approaching by coloring the vulnerability or asset in amber when it is within 20 days of aging out, and in red when it is within 10 days of aging out. The Status filter has a multi-select capability, where you can select multiple statuses and can see the count of vulnerabilities meeting your selected criteria. However, some options are mutually exclusive, so selecting one will automatically unselect others.
PREDEFINED FILTERS	This PREDEFINED FILTERS option allows you to display the vulnerabilities that match a set of predefined values for ease of use. Selections include: All, High Severity (i.e., Urgent and Critical), Assigned, Assigned to Me, Watching, Patchable, Non-Patchable, Obsolete, and Zero Day. These Predefined Filters cannot be changed.
ISSUE TYPE	This ISSUE TYPE filtering option is applicable for SAST asset type only. The Issue Type filter allow users to display vulnerabilities that meet the specified criterion. Available options are: All, Vulnerabilities, and Bugs.
FILTER BY DATE	Vulnerabilities can be filtered by date. In all cases, if a From date is not specified it is assumed to be from the time the vulnerability was first identified using SP360. Similarly, if the To date is not specified, it assumes the current time: Due Date: You can specify a due date range (From Date - To Date), which is the assigned Due Date. Created Date: You can specify a created date range (From Date - To Date), which is the first scan in which the vulnerability was captured. Last Detected: You can specify a last detected date range (From Date - To Date), which is the date of the last time the vulnerability was captured by a scan. Last Tested: You can specify a last tested date range (From Date - To Date), which is the date of the last scan , regardless of whether the vulnerability was captured. Fixed Date: You can specify a vulnerability fixed date range (From Date - To Date), which is the date in which a scan determined a previously opened vulnerability was remediated. Reopened: You can specify a reopened date range (From Date - To Date), which is the date of the scan in which a previously closed vulnerability is rediscovered. Ignored: You can specify an ignored date range (From Date - To Date), which is the date the vulnerability was ignored (manually, automatically, singularly or in bulk). Unignored: You can specify an unignored date range (From Date - To Date), which is the date the vulnerability was unignored (manually, automatically, singularly or in bulk). For each date attribute, clicking on the field displays a date control. On that date control, in addition to the date being specified, there is an additional field in which a time (i.e., hour, minute, seconds) can be specified within the date.
MISC. FILTERS	Vulnerabilities can be filtered by Qualys ID (QID) for Endpoints, Cloud Agents, and Web Apps, and by Rule ID for SAST. This additional filtering option is visible only if the Asset Type filter is selected for one of the asset types (i.e., Web Apps, Cloud Agents, Endpoints, or SAST). This filtering option is not accessible if the Asset Type filter is selected as “All”.

Action Icons

The checkboxes on the left allow users to select one or more vulnerabilities and apply bulk operations, for example, assign the selected set to the same person.

There are three bulk actions available:

Action Icons	Attribute
	Click this action icon to bulk assign/unassign vulnerabilities. A pop-up screen will appear, as shown below.
	To bulk add/remove watchers to selected vulnerabilities. Clicking on this action icon displays the pop-up screen shown below.
	To export vulnerabilities only available for specific asset types i.e., Web Apps, Cloud Agents, SAST, and Endpoints.

The “Selected” control shows the number of vulnerabilities selected and that will be impacted by any bulk operation.

Vulnerabilities Grid

The Vulnerabilities grid includes the following fields by default, however, users can customize the grid to add, remove, or re-arrange fields to meet their needs by clicking the action icon at the bottom right, explained here.

Note: The column sets are contextual and may differ slightly for each Asset type. The explanation below is when the Asset Type filter is selected to “All Asset Types”.

Column Headers	Definition
NAME	A brief description of the vulnerability discovered for this asset.
HOST ASSET	If the user selects all asset types, this column header is shown as “Host Asset”. If the user selects a specific asset type then this same column as a more specific column header, such as 'Web Application' or 'Endpoint'. Regardless, the column shows an icon for the type of asset and then the asset identifier (e.g., an IP address for an endpoint).
STATUS	The status of each vulnerability i.e. New, Active, Fixed, Reopened, or Ignored. Note: For ignored vulnerabilities, users can also learn about its previous state, at the time it was ignored. The information is shown as follows:
SEVERITY	The severity of the vulnerability reflecting its impact. Available severities are: Urgent, Critical, Serious, Medium, or Minimal.
LAST DETECTED DATE	The date and time of the scan in which the vulnerability was last detected.
LAST TESTED DATE	The date and time a scan was last run. If the Last Tested Date is more recent than the Last Detected Date, then either the vulnerability was remediated, or the asset cannot be accessed.
AGE	Length of time a vulnerability has existed, in fractional days. Open - Number of days since the vulnerability was detected. Fixed - Number of days the vulnerability had been open, at the time it was remediated, or ignored. Note: If a vulnerability has been reopened one or more times, there will be a superscript next to the field indicating how many time that has occurred, as shown below. Each Age field is clickable, and doing so displays a pop-up that shows the vulnerability life cycle.
DUE DATE	A date you can specify by which the vulnerability should be resolved. If the date is within a week, it is shown as amber. When the date is within three days, it is shown in red. When the date passes, so it is overdue, it is shown in a darker red.
ASSIGNED TO	If the vulnerability has been assigned to a team member to resolve, this field shows the name of that team member.

To learn more about the optional fields that can be added, removed, or re-arranged in the Vulnerabilities grid, click here.

Each Vulnerability has four available icons on the right side of each line.

Icon	Description
View Details	Clicking on this icon displays a pop-up window with additional details related to the vulnerability as shown below. Information such as the location of the vulnerability and a potential remediation. This Details page is the most critical information for understanding and resolving vulnerabilities.
Add Notes	Clicking on this icon displays a pop-up window in which you can add/review descriptive notes for the status of a vulnerability. Note: If descriptive notes have been added for a vulnerability, there will be a superscript next to the icon indicating the number of added notes, as shown below.
Add Watchers	Clicking on this icon allows you to select and add multiple users (one-by-one) as watchers for a given vulnerability. You can add a watcher by selecting the user from a drop down. You can remove a user from the watchers' list by clicking the Remove icon. The vulnerability watchers will get notified of any change in the status of the specific vulnerability, or notes are added, or the vulnerability assignment changes.
Ignore/Unignore	This is the manual ignore function. The Ignore functionality is used to resolve a vulnerability that does not need to be addressed. For example, if a server is being taken out of service, a user may choose to ignore the vulnerabilities associated with that server, to minimize the data being displayed. Clicking this icon causes the vulnerability to be ignored. Once a vulnerability is ignored, the Ignore functionality is no longer available for that vulnerability. At the time a vulnerability is being ignored the user has some additional options available: Ignore selected instance of this vulnerability: Only this vulnerability will be ignored. Either this option, or the next must be selected. Ignore all instances of this vulnerability for all host: This is essentially a “bulk ignore” that will ignore all instances of this type of vulnerability regardless of the asset it applies to. Ignore Reason: The classification for why the vulnerability is being ignored (False Positive, Risk Accepted, or Not Applicable). This is required. Ignore Comments: This is an optional field. If a user decides to undo a previously ignored vulnerability, they can use the Unignore function, which is only available for vulnerabilities with an 'Ignored' status. Note: Vulnerabilities in Fixed status cannot be ignored.