AppCheck is primarily a vulnerability scanner, meaning that the results returned by the scanner are largely issue-based in that each result maps to an actual (or suspected/probable) security vulnerability. This means that, as a general approach, AppCheck will only report on security vulnerabilities, not all information found during scanning. AppCheck performs thousands of checks during a scan, but typically processes and filters out information that is not relevant to provide a focused result set for optimal comprehension and to guide remediation efforts, filtering out information that is not directly related to vulnerabilities that are present (though this is configurable to some degree for individual scans).
Can AppCheck report on missing patches?
Yes, but only (typically) if they are believed to represent a security vulnerability. If the AppCheck scanner is given sufficient access privileges to inspect a given system (see details below), then - where a missing patch represents a security vulnerability - the security vulnerability that exists as a result of the patch not being installed will be reported. The patch recommended to be applied to resolve the vulnerability will typically be listed in the remediation guidance for the vulnerability. Additional mitigations may also be listed (e.g. configuration adjustments, or firewalling off of ports), where effective.
Will AppCheck report on ALL missing patches?
No. AppCheck does not provide informational reports at this time on all software installed on a host. It is also important to understand that a standard "network" vulnerability scan using a default configuration does not have access to the target system natively: it can report only on software that is exposed across the network (such as webserver software like Apache or IIS) and cannot "see" host-level libraries and services typically such as local, non-network facing service, if the host does not expose these on the network. It is possible to set up credentialed infrastructure scanning to provide authenticated access by AppCheck to targeted servers, in which scenario these local libraries and softwares can also be interrogated, for greater insight into missing patches.
Missing patches will only therefore be reported if they meet all criteria below:
- The patch is missing on a host to which AppCheck has command-execution access privilege; AND
- The patch in question is for software that AppCheck has entries for in its database (e.g. common software such as Microsoft IIS, not necessarily all or more esoteric software); AND
- There is a published CVE against the installed (unpatched) software version.
How can I report on vulnerabilities that exist as a result of missing patches?
In order to report on vulnerable software versions as outlined above then it is important that criterion (1) above is met. In order to do this, it is necessary to set up credentialed infrastructure scanning via a deployed internal scan hub. See the following articles or contact your account manager for further detail: