Phoenix Security Features – July 2023 – Application Security & Vulnerability Management Improvement

The Cloud Security and AppSec teams at Phoenix Security are pleased to bring you another set of new Phoenix Security features and improvements for vulnerability management across application and cloud security engines. This release builds on top of previous releases with key additions and progress across multiple areas of the platform.

We are sure that you’ll find these quite interesting!

  • Improved Management your Vulnerabilities and Assets
    • Display “Closed” vulnerabilities list page
    • Display vulnerability stats in Asset screens
    • Override asset exposure for whole Apps/Envs
  • Risk-based Posture Management
    • Update risk formula structure
  • Integrations
    • Configure “vulnerability types” fetched from SonarCloud/SonarQube
    • Users can manually trigger a “scanner refresh”
    • Update Jira tickets when the associated vulnerability is closed
  • Other Improvements
    • Handle large number of items in Treemap chart
    • Improved scanner flow: don’t fetch targets until needed
    • Improved performance of MTTR queries

Please note: The features discussed in this article will be released on Monday August 21th.

There will be a small but noticeable variation fo the risk score as there are new parameters like fixability, exploitability and adjusted likelihood of exploitation introduced in this release. The more noticeable change would be at Asset level.

Users would notice a change in the vulnerability risks and those aggregated up to the Organisational risk.

Manage your Vulnerabilities and Assets across application security and cloud security.

Display “Closed” vulnerabilities list page

Phoenix Security’s primary focus is on the management of active Infra, Cloud and AppSec vulnerabilities and the assets affected by them. Nonetheless, during their day-to-day activities, security experts and engineers might need to look back at the vulnerabilities already closed.

This information has always been available in Phoenix amongst the statistical data present by the platform. However, users can now display closed vulnerabilities with the active ones in the Vulnerabilities screen.

This screen now features new controls to select which type of vulnerability should be displayed: Open, Closed or both.

Display vulnerability stats in Asset screens

At Phoenix Security, we are always looking to make our user’s life easier. Providing relevant information about assets and vulnerabilities in the right context is one of the ways we do this.

With this release, users can now see a summary of vulnerability information at the top of any Assets pages. These stats are calculated for the set of assets selected by the current filters, if any, which provides a powerful tool to dynamically analyse vulnerability and risk profiles across different sets of assets.

In a follow-up release we will include additional information (e.g. asset stats) and extend this feature to the Vulnerabilities screen.

Override asset exposure for whole Apps/Envs

Phoenix Security features a powerful and flexible way to define asset exposure (internal/external/DMZ) by using filtering rules that identify each type of asset. This allows our users to create precise rules to define each asset’s exposure.

However, sometimes an organisation needs to define the exposure of the assets of an entire Application or Environment. This is now easier than ever with the new App/Env filter option within Policy > Context Rules.

Risk-based Posture Management

Update risk formula structure

Over the past year, we have been working with our clients and advisors to ensure that the Phoenix platform’s risk calculation correlates with the expectations of security specialists and supports our clients’ workflows.

As a result of this analysis, we are making several improvements to the way vulnerability risk is calculated and how it gets aggregated at the Asset, Component and Application level. All these changes will be shortly reflected in our Risk Calculation article, but the key highlights are:

  • We have increased the number of parameters that feed into the vulnerability risk calculation and adjusted their ranges and weights. These changes ensure that our contextualised vulnerability risk better reflects the factors that influence it.
  • Most of the contextual factors are now applied at the vulnerability and asset level, even when the context is defined by the components and applications that those assets belong to. This removes any potential double correction and makes the logic of the risk aggregation more straightforward.
  • Now both Applications and Environments get their risk directly from the assets they contain, not from any intermediate asset grouping (e.g. Components). This eliminates the “averaging” effect that intermediate groups can have, and ensures that assets assigned to multiple Components (coming soon) do not “double count” when aggregated at the Application/Environment level.

User would notice a change in the vulnerability risks and those aggregated up to the Organisational risk.


Configure “vulnerability types” fetched from SonarCloud/SonarQube

Some scanners, like SonarCloud and SonarQube, provide access to different types of “findings” through their APIs – e.g. Vuln, Bug, Code Smell. However, in many cases, some of these types of findings are not really relevant for vulnerability management activities since they are more about best practices and lints than actual vulnerabilities.

Our users can now choose which type of finding is retrieved through our integrations with ConarCloud and SonarQube by selecting the desired types in the scanner integration configuration.

Users can manually trigger a “scanner refresh”

One of the key advantages of the Phoenix platform is its configure-and-forget approach to scanner data retrieval. Once the integration with a scanner has been configured, the platform periodically fetches updated findings.

Some times, however, users want to trigger a scanner data refresh at a particular point in time, without waiting for the platform to get to the next interaction with the scanner. This is now possible by using the refresh button at the top of the scanner configuration screen (see screenshot above).

Update Jira tickets when the associated vulnerability is closed

One of the key strengths of the Phoenix Security platform is its “actionability”. It allows users not only to gather, contextualise and track assets and vulnerabilities but to trigger actions across the wider team by creating issue tickets in their platform of choice.

With this release we are taking our Jira integration one step further, by ensuring that tickets created for vulnerabilities get closed in Jira when those vulnerabilities are closed in Phoenix. At this point the platform will update the ticket with a comment indicating that the vulnerability has been closed and will change the ticket status to Done.

Other Improvements

Handle large number of items in Treemap chart

Sometimes, when navigating the Impact Explorer chart (treemap), we can loose clarity of details if there are many items in the current level. This tend to happen more easily while navigating populous Components or Services.

In this iteration we have improved this situation by only displaying the top 50 items of any level, and showing an extra block that represents the rest of the items, not displayed.

Improved scanner flow: don’t fetch targets until needed

Phoenix Security’s scanner configuration functionality provides great control over what is fetched from the scanner. In order to do this, the platform needs to interact with the scanner to obtain up-to-date information about the structure of what’s being scanned (targets).

In our continuos effort to improve usability and user experience we have reviewed the configuration flow to minimise interactions with the scanner, hence improving responsiveness.

Improved performance of MTTR queries

Mean Time To Resolution (MTTR) is a key metric that can take some time to gather in certain scenarios. This can cause the chart to remain empty for some seconds, even after the rest of the page has been rendered. We have now reviewed the associated queries and calculation to minimise the more extreme cases’ impact and provide a smoother user experience.

Get an overview of your asset lineage

Alfonso brings experience running international teams for multi-million dollar, technologically advanced projects for Telefónica, IBM and Vodafone. Alfonso joins with two decades of experience working for tech leaders, including at Dell EMC, Yahoo! and Intershop.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Explore ASPM’s role in modern application security, offering a panoramic view that extends beyond code vulnerabilities. This guide demystifies concepts like traceability, reachability analysis, and asset lineage, pivotal for securing digital assets. Learn how ASPM empowers organizations with actionable insights for precise vulnerability management. #Cybersecurity #ASPM #ApplicationSecurity
Francesco Cipollone
Explore the transformative role of ASPM in cybersecurity. Uncover how Application Security Posture Management aligns business and security objectives for effective vulnerability management and risk reduction. Discover Phoenix Security’s innovative approach to tackling the staggering challenge of CVEs with a strategic focus on prioritization. #ASPM #Cybersecurity #VulnerabilityManagement
Francesco Cipollone
Explore the critical insights into the latest container security vulnerabilities named leaky vessels, including CVE-2024-21626, CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, BuildKit flaws, with our comprehensive guide on mitigation strategies, best practices for application security, and tips for robust vulnerability management in Docker and Kubernetes environments. Stay ahead in securing your container deployments against potential threats with ASPM help
Francesco Cipollone

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris Romeo

Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.