Comparing different types of assessment
By default, XBOW runs a comprehensive assessment of your target. After fixing vulnerabilities, you can run a retest assessment to verify the fixes. Lightspeed accounts can use these two assessment types. Enterprise users can also configure targeted assessments.
For information about the tests run, see Attack types.
All users
Comprehensive application assessment
A comprehensive assessment performs a full security evaluation across your entire application, testing for all vulnerability types supported by XBOW.
This is the default assessment type and is used for initial Lightspeed assessments.
When to use:
- First time testing an application with XBOW
- Regular security assessments to identify all potential vulnerabilities
- Compliance or audit requirements that need complete coverage
- When you want to understand your overall security posture
What it tests:
- All OWASP Top Ten vulnerability classes
- Application-wide security controls
- Authentication and authorization mechanisms
- All accessible endpoints and functionality
Retest previous vulnerabilities
A retest assessment verifies whether previously identified vulnerabilities have been remediated.
XBOW attempts to reproduce the original exploit to confirm the fix. If the original exploit is blocked, XBOW applies advanced exploitation techniques to ensure that fixes are comprehensive and cannot be bypassed.
When to use:
- After remediating vulnerabilities from a previous XBOW assessment
- To verify that security patches are effective
- When you need evidence that vulnerabilities are resolved
- Before deploying fixes to production
What it tests:
- Previously identified vulnerabilities using original exploits
- Potential bypasses of implemented fixes
- Alternative exploitation techniques if original exploit fails
Enterprise users
In addition to comprehensive and retest assessments, you can focus on one or more specific categories of vulnerability, while also checking for common security flaws. Testing with a subset of attack types (such as Remote Code Execution and Cross-Site Scripting) increases focus and depth on those specific areas.
Consider these factors when selecting an assessment type:
- Testing frequency: Use comprehensive assessments quarterly or before major releases. Use targeted assessments for specific concerns or after focused development work.
- Available time: Comprehensive assessments take longer but provide complete coverage. Targeted assessments complete faster when you need quick results.
- Development focus: If recent work concentrated on specific functionality (for example, new authentication system), use targeted assessment for those categories.