Oftentimes, people are not aware of all the assets (web apps and APIs) their organization has, which leads them to overlook their vulnerabilities and inadvertently have them (and the organization) exposed to potential cyber-attacks. With the Snyk API & Web Asset Discovery, you have a way of identifying your company’s assets so that you can effectively protect them before they become a liability.
How does the Snyk API & Web Asset Discovery work?
This is a common question, and here we will give you an idea of what Snyk API & Web does behind the scenes when performing asset discovery.
The first thing we do is find the domains and sub-domains through the following techniques:
Cloudflare / AWS / Akamai
Snyk API & Web connects to your configured cloud providers to help you discover your web assets. The type of assets Snyk API & Web accesses depends on the provider you have configured.If you have a Cloudflare or Amazon Web Services (AWS) connection configured in your account, Snyk API & Web connects to it to select the configured DNS zones and then the domains/sub-domains from those zones.
If you have an Akamai connection configured, Snyk API & Web connects to it to obtain the configured APIs and domains.
Certificate Transparency
This is an Internet security standard for monitoring and auditing the issuance of digital certificates. Snyk API & Web searches Certificate Transparency to obtain and identify more domains.
Domain Guessing
At this stage, Snyk API & Web makes informed guesses about possible domains based on the ones that are already known. For example, if we havewww.example.com, we can tryadmin.example.comorapi.example.com.
With the first list of domains, Snyk API & Web does the following triage:
Identifies for which IP (or IPs) each domain is resolved.
Does a network/port scan for each IP to identify open services and their type.
Through that, Snyk API & Web tries to identify if it is a web app or an API.
The resulting domains/sub-domains for web apps and APIs become assets, and Snyk API & Web gets more detailed information about them:
Takes screenshots of the web apps.
And runs Security Headers to get a security score.
Assets are listed in the Discovery menu of the Snyk API & Web app. The following sections of this article describe some concepts and common actions available in that page.
Discovery Sources
When you add a source to your account, Snyk API & Web starts performing regular discovery scans to identify assets in the source’s attack surface.
There are four ways of adding a source:
By adding a domain.
Learn more about How to scan a domain for Asset Discovery.By connecting to Cloudflare.
Learn more about How to scan a Cloudflare connection for Asset Discovery.By connecting to AWS.
Learn more about How to scan an AWS connection for Asset Discovery.
By connecting to Akamai.
Learn more about How to scan an Akamai connection for Asset Discovery.
Discovery Assets
The assets resulting from discovery scans are listed in the Discovery menu entry of the Snyk API & Web app.
Here, at the top of the page, Snyk API & Web provides valuable information that you can use as quick filters to help you manage your assets and focus your attention on the ones that matter the most:
Found - The total number of assets found so far. If you click on it, the list will show all the assets found.
New - The total number of newly found assets. If you click on it, the list will only show the newly found assets.
Scanned - The percentage of assets that were already added as targets to your Snyk API & Web account and were scanned, meaning they have a risk level associated. If you click on it, the list will only show the assets that match this criteria.
Low score - The percentage of assets with a Security Headers score of C or less. If you click on it, the list will only show assets with a score within this range.
High risk - The percentage of assets already added as targets to your Snyk API & Web account, which were scanned and identified as High risk. If you click on it, the list will only show the assets that match this criteria.
In addition to the quick filters above, you can use the search box (on the right) and the more generic filters to help you navigate the list.
Discovery Asset Details
To view the details of a specific asset, click on its name in the list. This opens a side panel where you can see all associated vulnerabilities (Findings) and begin fixing them.
For more detailed guidance, see our article on how to interpret target scan results.
This panel shows the asset's name and URL, and has 3 tabs, each of them with useful information to help you manage your assets:
Overview
Redirect And IPs
Log
In the first tab, you can see 3 sections:
Risk
The asset's Risk classification (which is only set after the asset was added as a target and scanned at least once)
The Security Headers score (with a link to the respective Security Headers details page)
Insights
When it was last seen
When it was seen for the first time
Labels and owners, if any have been set
The list of technologies found on the asset
How it was discovered
Images
A thumbnail of the asset’s screenshot (which you can see in detail by clicking on it).
In the second tab, you can see the following lists:
Redirect from - The list of URLs that redirect to the asset, if any.
Redirect to - The list of URLs to which the asset is redirected, if any.
IP - The list of IP addresses of the asset.
Finally, in the third tab, you can see the list of events associated with that asset, namely scans performed, risk or score updates, and detection of new technologies. Here you can also add notes for your team to see.
Note: You can switch between a small side panel and a full page by clicking on the buttons that appear at the top of the panel.
Actions on Discovery Assets
Add Target and Scan
If you decide to, you can add assets as targets to your Snyk API & Web account in order to scan them for vulnerabilities. For that, use the Add target button in the asset’s row.
After adding an asset as a target, the Add target button changes to a Scan button, which you can click to start scanning it for vulnerabilities.
After the target scan has finished, the Risk label of the corresponding asset is updated with the risk identified during the target scan.
To access a target's details, click on the 3 vertical dots that appear next to the Scan button to display the overflow menu and choose View target. From there, you can start analyzing its vulnerabilities (Findings), and start fixing them. Learn more about it in this article on how to interpret target scan results.
Mark as new/not new
Clicking on the 3 vertical dots that appear next to the main action button (Add target / Scan / Stop button) shows an overflow menu. The first 2 options, Mark as new / Mark as not new, let you identify the asset as new/not new, respectively. This action, along with the State filter, lets you better organize and prioritize your list of assets.
Hide/Show
Clicking on the 3 vertical dots that appear next to the main action button (Add target / Scan / Stop button) shows an overflow menu. The option Hide lets you better organize and prioritize your list of assets by hiding the ones you’re not interested in at the moment. These assets don’t disappear, they’re just filtered out of the default view; you can always filter them by choosing the “Hidden” option in the “State” filter and, if at any point you decide those assets are relevant again, you can get more visibility over them by clicking on the Show option.
Rename
Clicking on the 3 vertical dots that appear next to the main action button (Add target / Scan / Stop button) shows an overflow menu. The last option, Rename, opens a modal prompt that allows you to update the asset name.
Since assets and targets are synced together, updating an asset name will also update its matching target’s name. The opposite is also true: by updating the target name, the asset name will also be updated automatically.
Set labels
You can assign labels to assets the same way you would to targets; in fact, these are synced between assets and targets, so applying a label to an asset will also automatically apply it to the respective target and vice versa.
You can click on the Set labels dropdown to assign one or multiple labels; filter existing labels by typing in the search field, or create new ones and apply them in a single step!
Set owners
You can assign user labels to assets, to identify their owners. To do so, click on the Set owners dropdown to assign one or multiple user labels; filter existing labels by typing in the search field, or create new ones and apply them in a single step!
Logs
You can click on the Log tab that appears on the asset’s details to open the logs of that asset since it was first discovered.
In the expanded view of the side panel, you can search for specific log messages or filter them with the Event Type dropdown, or even add notes like you would for findings.
Bulk Actions on Discovery Assets
To improve your asset management, you can take certain actions in bulk. Just check the checkboxes of the assets that interest you, and the bulk actions will become available at the top of the list.
Here you can choose to:
Set labels - Apply labels to assets to help you filter and manage them. For example, you can set a CRITICAL label on those assets that are most critical to protect in your organization, bringing attention to them. Note that labels assigned to assets will also be synced to the respective targets.
Change state - Change the state of a group of assets. For example, you can “hide” assets that are not important so that you can focus on the ones that matter the most. If you change your mind, rest assured that you can “show” them again at any time. You can also set assets as “new” so you don’t miss them, or as “not new”, if you decide you’ve done all you need with them.