Barracuda Vulnerability Manager et Barracuda Remediation Service

Pour protéger vos applications Web, sans détour.
Analyse de site Web gratuite

Questions fréquentes

What does Barracuda Vulnerability Manager scan?

Barracuda Vulnerability Manager n'analyse que les applications Web, c'est pourquoi seul le serveur Web vers lequel l'analyse est dirigée sera ciblé. La solution n'analyse ni votre réseau, ni votre infrastructure. À titre d'exemple, Vulnerability Manager ne ciblera ni n'analysera des pare-feux de couche 3, des périphériques VPN, des appareils ou serveurs de messagerie, des serveurs FTP, des systèmes téléphoniques ou tout autre périphérique réseau.

Quelles sont les vulnérabilités pouvant être détectées par Barracuda Vulnerability Manager ?

Barracuda Vulnerability Manager Vulnerability Type Reference.

Barracuda Vulnerability Manager detects many common web application vulnerabilities, including SQL Injection, Cross-Site Scripting (XSS), CrossSite Request Forgery (CSRF), and others. For a more detailed list, see the “Barracuda Vulnerability Manager Vulnerability Type Reference.”

Where are the scans performed from?

Barracuda Vulnerability Manager scans are performed from Barracuda’s data center in Southfield, Michigan. The IP range is 64.235.153.0/24

Comment l'analyse est-elle réalisée ?

Pour analyser une application Web, Barracuda Vulnerability Manager envoie à votre serveur Web des requêtes particulières puis analyse les réponses. Les serveurs vulnérables émettront une réponse-type détectable par le scanner, nous permettant ensuite de vous en informer. Les requêtes qu'envoie Barracuda Vulnerability Manager sont spécifiquement conçues pour ne causer aucun dommage à vos serveurs ; leur seul objectif est de détecter les vulnérabilités, en aucun cas de les exploiter.

What data does Barracuda Vulnerability Manager collect during the scan?

During the scan, Barracuda Vulnerability Manager collects various information about your application; this information is used to increase accuracy and find vulnerabilities in the application. This information may include data on the technologies and components in use by your application, the structure of your application, as well as lists of pages, forms, fields, and cookies.

Barracuda Vulnerability Manager does not collect any personally identifiable information (PII) or records from your application’s database, whether this information is publicly accessible or not. If Barracuda Vulnerability Manager finds a vulnerability that could compromise confidentiality of data on your web application, it does not collect any of the data that could be compromised; instead, it only alerts you to the problem.

Barracuda Vulnerability Manager also does not collect the source code (whether client-side or server-side) of your application.

Combien de temps une analyse dure-t-elle ?

The length of the scan varies widely with the size of your application—from a few minutes up to multiple days. You can monitor the progress of the scan from Barracuda Vulnerability Manager’s Active Scans screen. If you like, you can also limit the length of the scan; in this case, you will only see the vulnerabilities that were found within this period of time. You can always cancel a currently running scan; again, you will only see the vulnerabilities found until it was canceled.

What are the risks of running the scan?

The scan is specially engineered not to cause damage to your web application, web server, database, or network infrastructure. During the scan process, the scanner submits all web forms found on your application a large number of times in order to test for vulnerabilities. If you have unprotected forms that write data to a database or send emails based on form submissions, you may see a large number of database records or emails sent during the scan. You can safely ignore or delete these records and/or emails; they do not cause any damage.

Will the scan overload my web server?

Barracuda Vulnerability Manager has an automatic overload protection feature: If it detects high load on your web server, it will automatically reduce the scan speed until high load is no longer detected. Regardless of overload protection, Barracuda Vulnerability Manager sends a maximum of 15 requests per second to your server. If you wish, you may adjust this number on the Crawling tab of the scan configuration dialog. For example, you may want to increase this number if you are scanning a non-production server and want the scan to complete faster.

Can I scan applications hosted on public cloud servers, on-premises, collocated, etc.?

Barracuda Vulnerability Manager can scan any web application that is publicly accessible, regardless of where it is hosted. If any user on the internet can enter your application’s URL and access it, it can be scanned.

Can I scan applications that are behind a load balancer or firewall?

Yes. Barracuda Vulnerability Manager can scan regardless of any load balancers or firewalls in front of the application, as long as the application is publicly accessible.

Will Barracuda Vulnerability Manager “hack” my application in order to detect vulnerabilities?

No. Barracuda Vulnerability Manager will determine if your application could be hacked by a malicious attacker, but it will not hack your application. In particular, Barracuda Vulnerability Manager will not cause your application to execute any harmful code, steal data from your application, or cause it to crash.

Will Barracuda employees have access to my application’s data?

No. While Barracuda Vulnerability Manager may store request and response data to help you locate vulnerabilities, your application’s data will not be stored on Barracuda servers or accessible to Barracuda employees.

Are scan reports stored in Barracuda’s cloud? How can you ensure the reports remain confidential?

Scan reports are stored on specially designated servers in Barracuda’s dedicated data center. Only you can access your reports using your Barracuda Cloud Control credentials. If you have regulatory requirements that your data be kept on physically separate servers, or onpremises, please contact us to discuss on-premises options.

Les utilisateurs ayant accès à Barracuda Vulnerability Manager peuvent-ils analyser mon application ?

Non. Par mesure de sécurité et pour empêcher tout abus, les utilisateurs doivent vérifier tous les domaines qu'ils souhaitent analyser, à l'aide de Barracuda Vulnerability Manager ou par le biais du processus de vérification de domaine Cloud Control. Les utilisateurs seront invités à réaliser cette simple vérification en cliquant sur un lien reçu par e-mail.

Barracuda Vulnerability Manager found a vulnerability on my application. What should I do?

You should take immediate action to remediate vulnerabilities found by Barracuda Vulnerability Manager, especially those with High or Critical severity levels.

The easiest way to remediate web application vulnerabilities is to use a Barracuda Web Application Firewall (WAF). Barracuda’s WAF can import the results of a Barracuda Vulnerability Manager scan and automatically remediate all the vulnerabilities found by the scan. For more information, see the Solution Brief, “Web Application Vulnerabilities: from Detection to Remediation.”

The information provided in Barracuda Vulnerability Manager’s report can also be used by your web application’s developers to find and fix the problem manually in the application’s source code.

Comment puis-je contacter l'assistance ?

Please email BVM_Support@barracuda.com for support.

Si vous avez d'autres questions auxquelles vous ne trouvez pas de réponse ici, veuillez contacter Barracuda Networks au +33 1 72 75 72 78
Vue d'ensemble > ressources >