Some components, such as Apache, use backporting to implement security patches. Backporting is a method where security patches or bug fixes from newer versions of a software component are applied to older versions. This approach ensures that the older version remains secure without the need to upgrade to the latest version, which might not be compatible with other parts of the system.

When your scan detects a component, such as Apache, through a web request to a web service it is hosting, the header provided by the server will contain the original version that was installed but will not state the security patches that have been installed. The scan will then look up any vulnerabilities for the found software header, irrespective of whether the security updates have been applied. A backport resolvable risk is a risk that is resolvable by backported security patches.

By default, backport resolvable risks are labeled and included in your scan results. However, you have the option to exclude them in your 

 within the scan menu, provided you have the group role of editor or above. When you change this setting, risk results will be immediately updated but Actions and Checks are recalculated and may take a few seconds to update in the app.

Hexiosec ASM currently provides management options for Apache backport resolveable risks.  

If you are confident that a risk has been resolved by backporting for a different type of component (e.g. nginx), then you can choose to ignore these risks from the Risks page and they won't appear in future scans or influence the scan scores. 

Should I include backport resolvable risks in my scan?

If you have access to the detected components with backport resolvable risks and can confirm that the security patches have been applied, you may want to exclude these risks from your scan. If you do not have access to the detected components, it is advisable to keep them included in your scan, until you have verified that the security patches have been installed.

By default, scans will include these risks. However, if you prefer to have them excluded by default, please contact us at 

TLS Certificate Risks

Backport Resolvable Risks

Risk Severity Ratings

Hexiosec ASM

Hexiosec ASM (Public)

Organisation and Group Roles

Using Groups

MFA and session expiry

Password Policy

Changing email address

Changing ownership

User and Group Management

Scan Types

Scan Allowances

Seeds and IPs

Scan Limiting

Deleting Scans

Scan Notifications

Managing Scans

Report Terminology

Scan Reports

Health Scores

Managing Actions

SPF Hard Fail risks

Managing Risks

Managing Domains

Graph view

Managing CDNs and Shared IPs

Creating a scan using the API

Paginating the API Requests

Using the Public API

Hexiosec ASM mobile

Upgrade Recommendations

Contacting Support

User Guides

I've changed the device I use for MFA

I've accepted an invite, why can't I see anything?

I don't think this vulnerability applies to me?

Why has my scan not updated after I've made a fix?

Why is my IP's geographic location not showing, or incorrect?

Will Hexiosec ASM find Malware?

What is out of scope?

What is a Stale domain?

Can I run scans without permission?

What happens when I delete a scan?

Will the latest CVE be found?

What version is Hexiosec ASM?

Which SSO protocols does ASM support?

FAQs

MSP Specific Guidance