Checking scan coverage and addressing any gaps

Checking scan coverage and addressing any gaps is crucial for ensuring the effectiveness of your security scans. This process involves verifying that the scan included all intended parts of the application or system and identifying any additional areas that might need to be included. By carefully reviewing the scan results and addressing any identified gaps, you can improve the accuracy of your security assessments and enhance overall protection.

This document explains how you can check scan coverage and what to do when scan coverage is not as expected.  

Checking scan coverage

To check a scan’s coverage, you can examine the Site Structure tab, Scan Summary tab, and the Scan Statistics tab.

  • Scan Summary Tab: The Scan Summary tab provides insights into the scan parameters and activities performed during the scan. Use this information to ensure that the intended scope of the scan was fully covered. If the summary reveals that certain configurations or areas were not included, adjust the scan settings to address these gaps and rerun the scan as needed.
  • Site Structure Tab: The Site Structure tab allows you to verify scan coverage by reviewing whether all parts of your target's structure have been scanned. Expand the site structure tree to ensure every folder and file has been analyzed.
  • Scan Statistics Tab: The Scan Statistics tab offers a detailed breakdown of scan operations and URLs accessed during the scan.

How to check scan coverage through the Scan Summary tab

  1. In Acunetix, select Scans from the left-side menu.
  2. Locate the scan you would like to review and click on the target to open it.

  1. The Scan Details page opens with the Scan Summary tab selected. Review the identified issues, their severities, and the detected vulnerabilities. Analyze the most vulnerable technologies and examine the scan details provided.
  • Issues: Review the issues categorized by their severity levels. The Vulnerabilities tab provides a detailed examination of all detected vulnerabilities.
  • Most Vulnerable Technologies: Identify the most vulnerable technologies along with their current and latest version numbers. To mitigate risks associated with known vulnerabilities, Acunetix recommends updating outdated technologies to their latest versions.

  1. After reviewing these, refer to the concluding sections of this document for guidance on how to proceed when scan coverage is as expected, as well as what steps to take if the scan coverage does not meet your expectations.

How to check scan coverage through the Site Structure tab

  1. In Acunetix, select Scans from the left-side menu.
  2. Locate the scan you would like to review and click on the target to open it.

  1. Select the Site Structure tab and ensure that the scan has covered all major sections of your application. Use the arrows to expand and collapse folders within the Site structure to check for vulnerabilities and their severity levels.

  1. If a vulnerability was detected, click on the items in the Site structure to open the Issue tab on the right for more information about the identified vulnerability. This allows you to assess which parts of your application need attention and address any security issues effectively.

Refer to the concluding sections of this document for guidance on how to proceed when scan coverage is as expected, as well as what steps to take if the scan coverage does not meet your expectations.

How to check scan coverage through the Scan Statistics tab

  1. In Acunetix, select Scans from the left-side menu.
  2. Locate the scan you would like to review and click on the target to open it.

  1. Select the Scan Statistics tab and review the Operations and Locations sections.
  • Operations: Verify whether key scanning operations, such as deep scans, framework-specific audits, or AcuSensor checks, were executed. Check the number of times each operation was performed to ensure adequate coverage. Low run counts may indicate gaps in scanning for certain types of vulnerabilities. Compare the duration of each operation. Extremely low durations may suggest that the scanner did not thoroughly analyze specific areas or configurations.
  • Locations: Confirm that all key parts of the target application, including login pages, APIs, directories, and subdomains, have been scanned. Missing locations could indicate areas that were not covered. Review the number of requests made to each location. Low request counts might point to insufficient scanning depth or areas that the scanner failed to access. Check for locations with unusually short durations, as this might indicate limited exploration or skipped sections.

Scan coverage is as expected

If the scan coverage is as expected, analyze the scan results to identify any vulnerabilities or issues. Use the detailed information from the scan to evaluate the security posture of your application or system, prioritize remediation efforts based on the severity of the findings, and implement necessary fixes to enhance overall security. You can also refer to Reducing Scan Times to learn how to shorten the duration of scans.

Check if authentication is required

Check if your web application requires authentication. If it does, confirm that the authentication requirements are correctly configured in the scan profile and functioning properly. For more information, refer to our Scanning authenticated web assets documentation.  

Verifying authentication can help when coverage is not as expected by ensuring the scanner is configured correctly for login and session management. Proper authentication setup allows the scanner to access all areas of the web application, including password-protected sections. If authentication is not configured correctly, the scanner may miss these areas, leading to incomplete coverage. By confirming that authentication is correctly set up and functioning, you ensure that the scanner can access all necessary parts of the application, thereby improving scan coverage and identifying any gaps.

Create a Business Logic Recording

When coverage is not as expected, it may be due to missing or incorrect sequences of events required to navigate from point A to point B within the application. To address this, you can create a Business Logic Recording (BLR) to capture and guide the necessary interactions for the scan. For detailed instructions, refer to Introduction to the Acunetix standalone Login Sequence Recorder .

 

« Back to the Acunetix Support Page