Understanding Security Findings

Learn to interpret CortexEDR security findings effectively. Understand vulnerability patterns, risk assessment, and how to prioritize remediation efforts for maximum security impact.

🔍 Common Vulnerability Patterns

Injection Attacks

SQL Injection

Malicious SQL code execution through user input. Most common web vulnerability.

Impact: Data theft, modification, deletion

Command Injection

System command execution through unsanitized input.

Impact: Server compromise, lateral movement

Authentication Issues

Broken Authentication

Flawed session management or credential handling.

Impact: Account takeover, data breach

Weak Password Policies

Insufficient password requirements or enforcement.

Impact: Brute force attacks, credential stuffing

📊 Severity Assessment Framework

Risk Scoring Methodology

9.0-10.0

Critical

Immediate action required

7.0-8.9

High

Fix within 30 days

4.0-6.9

Medium

Fix within 90 days

Impact Factors

Data Exposure:High Impact

System Compromise:High Impact

Service Disruption:Medium Impact

Information Leakage:Low Impact

Exploitability Factors

Remote Code Execution:High Risk

No Authentication Required:High Risk

Complex Attack Vector:Low Risk

Requires Special Access:Low Risk

🏷️ CWE Classification System

Common Weakness Enumeration (CWE) provides a standardized way to categorize software weaknesses. Understanding CWE IDs helps prioritize remediation based on industry standards.

Critical CWE Categories

CWE-79Critical

Cross-site Scripting (XSS)

CWE-89Critical

SQL Injection

CWE-287High

Improper Authentication

Common CWE Patterns

CWE-200Info Leak

Information Exposure

CWE-400DoS

Uncontrolled Resource Consumption

CWE-502Deserialization

Deserialization of Untrusted Data

CWE Research Resources

CWE Top 25 CWE Database CWE XML About CWE

🎯 Distinguishing Real Issues from False Positives

✅ Likely Real Issues

Direct User Input

Code that directly uses unsanitized user input in SQL queries, HTML output, or system commands.

Known Vulnerable Patterns

Code that matches well-known vulnerable patterns from security databases.

Privilege Escalation

Code that allows unauthorized access to sensitive resources or functions.

⚠️ Potential False Positives

Sanitized Input

Input that has been properly validated, escaped, or parameterized.

Internal/Trusted Data

Data from internal systems or trusted sources that cannot be manipulated by users.

Dead/Test Code

Code that is unreachable, in test files, or not deployed to production.

Verification Checklist

For SQL Injection Findings:

• Is input parameterized?
• Are prepared statements used?
• Is input properly escaped?
• Is user input validated?

For XSS Findings:

• Is output properly escaped?
• Is Content Security Policy set?
• Is input sanitized?
• Are templates secure?

🎯 Remediation Prioritization Strategy

Priority Matrix

Impact	High Exploitability	Medium Exploitability	Low Exploitability
Critical Impact	P0 - Fix Immediately	P0 - Fix Immediately	P1 - Fix This Sprint
High Impact	P1 - Fix This Sprint	P2 - Fix Next Sprint	P3 - Plan for Later
Medium Impact	P2 - Fix Next Sprint	P3 - Plan for Later	P4 - Technical Debt

P0 - Critical

Active exploitation possible. Fix immediately, potentially deploy out-of-band.

P1 - High

High risk vulnerabilities. Include in current sprint planning.

P2 - Medium

Moderate risk issues. Plan for next sprint or release cycle.

Understanding Findings

→ Fixing Vulnerabilities → Reading Security Reports → Security Best Practices

Risk Assessment

Likelihood:High

Impact:Critical

Overall Risk:Critical

Common CWE IDs

CWE-79XSS

CWE-89SQL Injection

CWE-287Auth Issues

CWE-200Info Leak

Investigation Steps

1. Review the finding details

2. Understand the attack vector

3. Check for existing mitigations

4. Assess exploitability

5. Determine remediation priority

Resources

→ CWE Database → OWASP Resources → NIST Vulnerability DB