Run-time vulnerabilities

The Runtime vulnerabilities tab continuously scans applications to detect security weaknesses and potential threats. It displays a vulnerability list that helps you to prioritize remediation efforts based on risk severity. This tab integrates with existing workflows to enable proactive security management and reduce the attack surface effectively.

The vulnerability list is sorted by the Status column by default. Columns in the table:

• CVE title: The category of security weakness detected, based on industry-standard CWE classifications. Examples include input validation errors, memory safety issues, and API misuse.

• CVE ID: A unique alphanumeric identifier assigned to a single, publicly disclosed cybersecurity vulnerability. Maintained by the Common Vulnerabilities and Exposures (CVE) program, this ID allows organizations to unambiguously identify and track a specific vulnerability across different security tools and databases. The format is typically "CVE-YYYY-NNNNN," where YYYY is the year of disclosure.

• CVSS Score: The Common Vulnerability Scoring System (CVSS) score is a numeric value from 0.0 to 10.0 that represents the severity of a vulnerability. This open industry standard helps organizations assess and prioritize remediation efforts based on principal characteristics like exploitability and potential impact. A higher score indicates a more severe vulnerability.

• Cisco Security Risk Score: A proprietary metric that provides a more contextualized assessment of a vulnerability's risk to a specific environment. It often combines the base CVSS score with real-world threat intelligence, such as the availability of a public exploit or observed malicious activity. This helps prioritize vulnerabilities that pose the most immediate and relevant threat to an organization. See also: Cisco Vulnerability Management.

• Status: Current state of the vulnerability:

  • Detected (at least one vulnerability is detected in the library)

  • Confirmed (library is reviewed)

  • Fixed (library is fixed)

  • Ignored (not a library)

  • Not Vulnerable (no vulnerabilities are found in the library)

• Environment: The value you specified in the Secure Application JVM agent's otel.resource.attributes parameter or in the OTEL_RESOURCE_ATTRIBUTE environment variable.

• Service: The value you specified in the Secure Application JVM agent's otel.resource.attributes parameter or in the OTEL_RESOURCE_ATTRIBUTE environment variable.

• Library: Name of the library.

• Last detected

• Recommended action: Any remediation that is available for the library.

Libraries

The Libraries tab provides a list of all libraries that are in use by the corresponding applications. This page highlights the vulnerabilities and associated risks introduced by the use of those libraries. You can filter libraries by Status, CVSS Score, and Security Risk.

Columns in the list of libraries:

• Library: Name of the library.

• Environment: See Run-time vulnerabilities.

• Service: See Run-time vulnerabilities.

• CVSS Score: See Run-time vulnerabilities.

• Cisco Security Risk Score: See Run-time vulnerabilities.

• Associated vulnerabilities

• Status: Current state of the library (confirmed, detected, downgraded, fixed, ignored, not vulnerable, removed, upgraded).

• Recommended action: Any remediation that is available for the library.

Notifications

The Notifications tab allows you to configure HTTP-based alerts for when Secure Application detects new vulnerabilities.

Set up notifications for vulnerabilities

1. Select Application Security > Notifications tab > Create notification rule.

2. Specify settings for the new rule:

   • Rule name: Name of the rule
   • URL: Endpoint of your choosing
   • Bearer token: Authorization: Bearer header value (token) of your choosing
   • Environment: List of allowed services as a filter. Optional.
   • Service: List of allowed environments as a filter. Optional.
3. Click Activate.