JOUO scans your website and shows you on the dashboard which areas of your website infrastructure are good in terms of security and compliance and which you should check.
However, not everything that is displayed as critical in JOUO is necessarily illegal or a security vulnerability.
JOUO specifies, for example, that the mandatory pages (in addition to the legal notice and a privacy policy) include a terms and conditions page. However, not every website requires T&C. JOUO cannot differentiate between these. So if JOUO couldn't find a terms and conditions page, it will warn you that you should check that you don't need one.
But what if I want the warning to disappear after the check?
Let's assume you have checked whether you need a terms and conditions page and come to the conclusion that you are not legally obliged to do so.
Therefore, you can now hide certain data in JOUO and even comment on some of it.
You can now enter in your JOUO that your website does not require terms and conditions and then it will no longer be displayed as a warning.
But that's not all, JOUO now also offers you these functions:
URLs of third parties in your privacy policy
JOUO shows you which URLs of third parties found on the start page you should list in your privacy policy. To help you keep track, you can now check off in JOUO which of the URLs you have already listed in your privacy policy.
Open ports
JOUO shows you your open ports as a potential vulnerability, and rightly so. Because open ports always entail risks - just like unlocked backdoors or garage doors. Especially if a port is chatty - in other words, if someone is standing behind the open door and spilling secrets. But some open ports are justifiably open - e.g. the doors of an office are justifiably open, but have security measures such as key cards. For this reason, you can now comment on every open port in JOUO and note countermeasures. This justification is then listed in your infrastructure documentation.
False-positive CVEs
JOUO shows you all CVEs (Common Vulnerabilities and Exposures) that it can find for your website infrastructure. A CVE is a reference, a kind of ID number for publicly known security vulnerabilities. These CVEs may also have been reported prophylactically: several conditions for a security vulnerability may have to be met for a CVE.
Example: The CVE says: "This door lock model XY can be cracked under certain circumstances!" However, for it to actually be cracked, ALL of the following conditions must be met:
- You must have this exact lock model on your door.
- Your door must not have an additional bolt.
- The door must be made of a certain material (e.g. wood, not metal).
The CVE is therefore displayed as a warning. However, it may still not apply to you because your door is not made of the required material or you have additional protective measures such as additional bolts. In this case, this CVE is incorrectly displayed as positive: a false-positive CVE.
If you determine during the check that this CVE does not represent a relevant risk from your point of view because it is false-positive or you have taken appropriate security measures, you can now hide it in JOUO and document a justification and countermeasures.
These hidden CVEs are then no longer included in the number of your vulnerabilities, are no longer listed as vulnerabilities in your infrastructure documentation and are no longer recommended. Instead, they will be listed separately in a new section of the infrastructure documentation.
As the conditions may change due to updates or changes, e.g. a CVE may no longer be falsely positive after an update of your systems, but actually positive, the CVE will automatically be displayed as a warning again after three months. You can extend the period by a further three months at any time.
And everything is available for download in the infrastructure documentation
So that you can also file your data for documentation purposes, you can download the infrastructure documentation: all JOUO data for your website in PDF format. And all the adjustments mentioned (no terms and conditions page, resources and URLs in privacy policies, hidden CVEs, your comments) are now also listed in the infrastructure documentation.