Skip to main content

About Things

In the Veracode EASM platform, Things refer to the various known or unknown assets exposed to the internet, as identified during EASM scans. These represent the components of an organization’s potential cybersecurity threat surface.

Once discovered, all Things are stored in a graph dataset. A set of insights is then generated using a combination of rules, analytics, and AI.

Each discovered Thing is categorized by risk severity, business context, and potential vulnerability exploitability. This enables prioritization of remediation efforts on the most critical threats.

You can view Things in the Dashboard.

The following table lists the available Things.

ThingsDescription
ApplicationsAny software exposed on the internet, such as web applications, SSH servers, databases, and more.
API EndpointsAny URIs callable by a program that return a result. Also referred to as web services.
CertificatesSSL digital entity’s identity.
CookiesRetained user information stored by web applications.
DomainsInternet domain names as described in WHOIS records.
FQDNsComplete, specific, and unambiguous addresses of websites, servers, or online resources.
HeadersInformation attached to a digital asset, including metadata such as creation date or file type.
InputsWeb application fields designed to receive user entered data.
IPsNumeric labels assigned to web connected entities and identified as part of the attack surface.
IP RangesGroups of IP addresses sharing the same network prefix and belonging to the targeted organization.
Mobile AppsApplications installed on mobile endpoints used by the organization.
ScriptsJavaScript locations, displayed as URIs.
Script VariantsJavaScript code instances identified by checksum. A script variant is linked to either a script (from a URI) or a URL (inline script).
Software ComponentsDistributed software entities offering specific services through well defined interfaces.
SSL ServicesIdentified SSL servers, each of which may support multiple HTTPS web applications.
Supplier ConnectionsEvidence of digital proximity to known suppliers. A supplier is a third-party company. These connections are used to construct the supply chain.
URLsUniform Resource Locators used by browsers to retrieve web resources (e.g., HTML pages, CSS, images).
VulnerabilitiesPotential points of security weakness, often through integration with third party tools.

Application view

When you open the Things page in your dashboard, the Application view appears. This view displays a comprehensive list of all discovered applications, including details such as status and risk level. It effectively serves as a configuration management database (CMDB) for applications. By default, the view shows all discovered applications. To focus on the table view, you can minimize the left-hand panel for a clearer and more detailed overview of your applications.

Each discovered application is described using a set of key fields. There are over 20 fields in total, including the following:

  • Name: the FQDNS or the IP address, if the application is directly reachable by IP. This includes the subdomain and top-level domain.
  • Port: the port number on which the application is running.
  • Risk level: a calculated value based on identified hygiene issues.
  • Status: indicates whether the application is online, offline, or inaccessible.
  • Server technology and main technology: the technologies used to serve and operate the application.

Filter applications

The Things View includes powerful filtering capabilities to help you focus on specific subsets of applications.

You can apply filters based on the following criteria:

  • Risk grade: view only high-risk applications to prioritize remediation efforts.
  • Status: filter applications by their status (for example, online or offline).
  • Server type: narrow the view to applications using specific technologies.
  • Attack Surface Score: prioritize applications with the highest exposure. A higher score indicates greater exposure.

Understanding the Attack Surface Score

The Attack Surface Score is calculated using an algorithm that considers the following seven key vectors. These vectors help determine the level of exposure for each application and support the prioritization of security measures.

  1. Security mechanisms: identifies whether the application uses HTTP, HTTPS, or a combination of both.
  2. Page creation method: assesses whether the application is built using server-side, client-side, or mixed technologies.
  3. Degree of distribution: evaluates the number of pages and external or internal connections associated with the application.
  4. Authentication: detects the presence of login or authentication mechanisms.
  5. Input vectors: identifies whether the application includes input fields, such as forms, for user interaction.
  6. Active content: determines the use of internal, external, or embedded scripts.
  7. Cookies: measures the number of cookies used by the application.

Advanced features in Application View

The Things or Application View includes several advanced features that provide deeper insights and support informed decision making:

  • Security Onboarding: enables you to assign security programs to an application, such as manual penetration testing or automated dynamic application scanning. These can be run by a Managed Security Service Provider (MSSP), third-party vendor, or internal security team.

  • Ownership: displays the owner of the application for accountability and communication purposes.

  • Business Criticality: allows you to assign a business impact level (low, medium, or high) to each application, helping prioritize remediation efforts.

  • Update Frequency: tracks how frequently the application is updated, aiding in risk assessment and resource planning.

  • Manual Complexity: lets you rate the complexity of managing an application. When defined, this rating can override the attack surface score in determining security program recommendations.

  • Program Recommendation: suggests optimal scanning and assessment methods for each application. This recommendation is based on a combination of automated metrics (e.g., risk score) and user-defined inputs.

  • Tags: enables the categorisation of applications using system-generated or custom tags, allowing for more efficient filtering and grouping.

Additional Insights in the Things View

Understanding the status and composition of discovered applications helps you respond effectively and reduce potential risks. The Things View provides the following additional details to support prioritization and decision-making:

  • Need Action
    Indicates applications that require attention. You can filter this column by action type—Fix, Protect, or Remove—to help guide remediation and risk reduction efforts.

  • CNAME
    Displays Canonical Name (CNAME) records, which help identify where an application is hosted or what it is linked to.
    This can reveal whether the application points to a third-party service or another domain within your infrastructure.

  • Category
    Identifies the specific type of application or service. This column is populated based on scan parameters and can include the following:

    • Web Application: An application running on HTTP or HTTPS.
    • Web Server Default Page: A misconfigured server displaying a default page (e.g., IIS, NGINX).
    • Third Party: A known industry solution instance running on an FQDN associated with your organisation.
    • Domain For Sale: A responsive FQDN running on a parked domain name.
    • URI: A responsive web endpoint showing only blank pages typically suspected to be a web service.
    • DB: A database port exposed to the internet.
    • DNS: A DNS server exposed to the internet.
    • File Sharing: A file-sharing service (e.g., FTP) exposed to the internet.
    • Mail Service: A mail service (e.g., IMAP) exposed to the internet.
    • Protocol: Exposed ports for services such as LDAP, NTP, or NetBIOS.
    • Remote Access: Remote access services such as RDP or SSH exposed to the internet.
    • WAF: A Web Application Firewall responding from an FQDN instead of a web application.
    • Detail: Provides specific information about what has been discovered for each application.

Scan criticality (vulnerability scanning)

Scan criticality refers to the assessment phase of application security and helps prioritize scans based on the application's risk level or importance.

The possible values for scan criticality are:

  • No: the application has not been onboarded to any security program. No vulnerability assessment has been performed.

  • Safe: a vulnerability assessment has been conducted and no vulnerabilities were detected.

  • Low, Medium, High: a vulnerability assessment has been completed. These values indicate the severity of the most critical vulnerability identified:

Last updated on