The recent security vulnerabilities reported in the Log4J and Spring4Shell open source components reminded us of an important reality -- security is often a critical race from the time of a vulnerability disclosure to its remediation. CAST Highlight has added a new capability that automatically sends email notifications as soon as a new vulnerability impacting one of your applications is published, without having to re-scan them. This article explains how it works.

How to subscribe to vulnerability email notifications?

The Vulnerability Notification capability allows users to be notified by email of a vulnerability that has been disclosed or updated in the National Vulnerability Database (NVD) which impacts a component of one or many applications, without having to rescan the application.To subscribe to vulnerability email notifications, login to CAST Highlight and from the user menu on the right, click on “Manage Notifications”. Once the modal opens, switch the “CVE report” button on and select the different notification options: Filter on criticality

• Critical only: you’ll receive notifications only on critical vulnerabilities
• At least high: you’ll receive notifications on critical and high vulnerabilities
• At least medium: you’ll receive notifications on critical, high, and medium vulnerabilities
• At least low: you’ll receive notifications on all vulnerabilities, except advisories
• All vulnerabilities: you’ll receive notifications on all vulnerabilities, including advisories

Filter on status (new/modified)

• New only: you’ll receive notifications on newly disclosed vulnerabilities only
• Modified only: you’ll receive notifications on recently updated vulnerabilities only (e.g., the CVSS score or criticality of an existing CVE has been modified, CPEs have been updated, etc.)
• All status changes

  Once your preferences are set, click on the “save” button. If one or more vulnerabilities are disclosed (and/or modified according to your notification preferences), you will receive an email from CAST Highlight (example below).

When will you get notified of a new vulnerability?

When a CVE is added or modified in the National Vulnerability Database (our vulnerability database is synced every hour for new or updated entries), CAST Highlight automatically updates existing SCA results of impacted applications, and the corresponding CVE will be visible from the dashboards without requiring a rescan of applications. Users who subscribed to CVE notifications will receive a notification by email. It is important to note that CAST Highlight will notify you only if new or recently modified CVEs are added to the National Vulnerability Database (i.e., after the notification subscription date) and when an application is rescanned and has a new CVE which was not detected in previous scan.Said differently, you won't be notified of the CVEs reported in a first scan you just ran. If you want to see a full list of CVEs detected across your applications, you can use the dashboards, reports (BOM, PPT…) and other API endpoints. The whole purpose of this notification feature is to let you know when a new CVE is discovered and impacts one of the third-party components you use. All CAST Highlight user roles can subscribe to these vulnerability notifications, the scope of application CVEs reported depending on the domain where the user is attached. Finally, you can unsubscribe from the vulnerability notifications by switching the notification button off and click on save.