CVE Risks in ASM FAQ
This is a collection of commonly-asked questions and answers about CVE risks in Censys ASM.
What does Censys CVE risk coverage look like?
So far, Censys has detected approximately 4,000 unique CVEs. This number will continuously increase as our software fingerprint coverage increases.
How are the CVEs detected?
Censys detects the vendor, product, and software version in the scan data. Then any CVEs associated with the software are exposed to customers.
How can I customize which CVEs are included as risks in my workspace?
By default, only CVEs that match the following criteria are enabled: CVSS High or Critical, KEV, and Network Attack Vector. This can be tuned in the Configure CVEs page.
Which attack vectors are included in the CVE data?
Network, Network Adjacent, Local Network, and Physical are available. However, only Network Attack Vector CVEs are enabled by default.
How many CVEs should I expect to see in my attack surface?
This will entirely depend on your attack surface and the software present in that attack surface. We recommend that you start with the highest-severity CVEs enabled first. If you are comfortable with the volume on the highest severities, you can modify your settings to include more CVE risks in the Configure CVE page.
If NVD hasn’t published a CVSS score, will ASM use the vendor-published score instead?
Yes. If the CVSS isn’t available from NVD, ASM will still add the new CVE and use the vendor CVSS score.
How is severity determined for CVEs?
The max CVSS score severity maps directly to the Censys severity, meaning that if the max CVSS severity is high, the Censys severity will be the same. However, if a Known Exploited Vulnerability (KEV) CVE is detected, the risk will be automatically increased to a critical severity because KEVs need to be remediated urgently.
Is there a process for requesting new CVEs?
You can reach out to your customer success manager if a CVE that you are interested in isn’t in the Configure Risk Types page. However, before reaching out make sure that the “Show me all CVE Risk Types” toggle is enabled on the Configure Risk Types page. This shows all the CVEs that Censys is currently able to detect. In order to detect the CVE that you are interested in, Censys only has to add a fingerprint for the software the vulnerability is related to.
How do the new CVEs differ from the Rapid Response risks?
Rapid Response risks are special fingerprints that are added by Censys to notify you of high-visibility and new vulnerabilities. The new CVE feature checks all of the software that Censys detects against the NVD CVE database. If the software is detected, Censys ASM automatically attributes the CVE for that software to the asset.
How is the CVE list maintained?
The CVE list is not manually maintained. If a software is detected in Censys ASM, that software is automatically for any CVEs. This means that when a new software is fingerprinted by Censys, all CVEs related to that software are automatically added as new risk types.
Is there a filter for just Rapid Response risks?
There is no filter for rapid response risks at the moment, but if this is an idea of interest, let your customer success manager know.
How quickly are CVEs added to the platform?
CVEs are automatically added to the platform if Censys is able to detect the software that the CVE is related to. Censys software and CVE detection is also dependent on the attack surface refresh. As the attack surface is updated, Censys will programmatically check for new CVEs.
Is there a confidence level for the CVE risks?
There is no confidence level for CVE risks. However, all CVE detections are based on exact software version matches. This means that if Censys detects software version 1.2.3 in the scan data, ASM will only check for CVEs that are associated with version 1.2.3 (not 1.x or 1.2.x)
What new fields will be added to the API?
Censys is adding a new Software Grouping API endpoint that mirrors the software vulnerability grouping present in the UI. This means that you can fetch CVE data in the following hierarchy:
- Asset → Software related to the asset → CVEs related to the software
- Refer to the Censys API documentation for more information: https://app.censys.io/api-docs
Will these updates be reflected in our integrations?
CVE risks will automatically work in all integrations that use risks and risk events. However, the new software grouping API will not be included for the integrations for the time being.
Comments
0 comments
Article is closed for comments.