Issues
Issues are the security weaknesses found while testing the application. This guide explains how issue severity and confidence differ, and what a systemic issue is.
Severity and Confidence
Section titled “Severity and Confidence”Oneleet Application Security classifies each type of issue with a severity level and a confidence level. Severity and confidence are both useful for prioritizing findings, but they measure subtly different things.
The severity of an issue indicates how much of a security risk it poses. Oneleet Application Security classifies issues using four levels of severity:
- High: serious weakness with real exploit potential
- Medium: meaningful weakness, usually worth fixing soon
- Low: minor weakness or hardening gap
- Informational: Not a vulnerability on its own, but a noteworthy observation
Because Oneleet Application Security probes a live app, it might occasionally flag something that isn’t actually exploitable. Confidence is how it tells you where that’s most likely, so you can spend your verification time wisely. The confidence levels are:
- High: strong evidence the finding is exploitable
- Medium: reasonable evidence, but worth a closer look to confirm
- Low: weaker evidence, so verify before escalating
Systemic issues
Section titled “Systemic issues”Some issues are flagged as systemic. They affect the application broadly rather than at one spot. These are usually configuration-level weaknesses: a missing security header or cookie flag, a CORS misconfiguration, etc. Oneleet Application Security keeps a few instances of these systemic issues to show you examples of how the issue appears in the app. Systemic issues often indicate there’s a single root cause and that fixing that root cause will resolve them all at once.
