Comply or Explain

Sometimes a security design requires disabling established practices. Even in these cases Web Security Map has got you covered.

With Comply or Explain, managers of an installation can create standardized and custom exceptions for findings: allowing something that would be incorrect by common assumption, to be correct and explained.

An explained issue shows up in reports as being explained, together with the original finding. Explained issues are removed from open issues, thus will show up in reports and statistics as a positive results.

Example scenario’s:

  • Certificate Revocation Lists are published on non-https domains
  • Some domains are used by devices only, which have an internal certificate authority which is trusted. (externally it shows as untrustworthy, as this is not a common certificate authority)
  • A test domain for incorrect configuration is needed for test purposes

Included is a script that automatically adds comply or explain for commonly used Microsoft domain services. This can be enabled and disabled.

Default scanning and classification is based on common web security standards pushed by OWASP, ENISA, Forum Standaardisatie and many other authoritative bodies.