How Astra calculates the Risk Rating & Security Grade
Astra's OrbitX Pentest Platform (PTaaS) solution provides a comprehensive approach for assessing and mitigating security vulnerabilities in your infrastructure. As a part of this process we assign a risk score to each reported vulnerability which helps prioritize remediation efforts, and also a security grade (A through F) to indicate the security level of your target.
In this help article, we will explain the methodology behind our risk scoring and security grading system, highlighting the key factors we consider.
The risk score is determined by a weighted average of several factors that collectively assess the severity and potential impact of a vulnerability. These factors include:
Severity Assigned by Security Analysts: We incorporate the severity assigned by our security analysts who evaluate the vulnerability in context of your target. Their expertise and analysis contribute to the overall risk assessment. This parameter is weighed-in only during a manual pentest by pentesters.
CVSS Score: The Common Vulnerability Scoring System (CVSS) provides a standardized method for assessing the severity of vulnerabilities. We take into consideration the CVSS score assigned to the vulnerability, which considers factors such as exploitability, impact, and complexity. We currently use CVSS v3.0 and plan on moving to v4 soon.
Number of Instances: If multiple instances of the same vulnerability are found within the application, we consider this factor to reflect the potential scale of the issue. A higher number of instances increases the risk score, as it indicates a broader attack surface.
Potential Financial Loss: We evaluate the potential financial impact on your organization if the vulnerability is exploited successfully. This assessment takes into account factors such as data loss, service disruption, compliance violations, and other potential consequences.
Average Responsible Disclosure Bounty: We consider the average bounty amount paid on popular platforms such as HackerOne™, Bugcrowd™, and others. This factor helps gauge the value of the vulnerability to the wider security community.
To calculate the risk score for a reported vulnerability, each factor is normalized to a common scale (e.g., 0-10) to ensure comparability. We assign weights to each factor based on its relative importance in determining the overall risk. The weights reflect the significance of each factor in influencing the potential impact and exploitability of a vulnerability. Based on the final risk score obtained after averaging the various factors, we assign a security grade to the vulnerability. This grade helps prioritize the order of remediation efforts.
The individual risk scores of all vulnerabilities are rolled up to determine the overall security grade for your target. Here’s a breakdown of how the grades are assigned:
A+ Grade: Excellent results in the pentest or vulnerability scan. All vulnerabilities were fixed, and no significant issues remain.
A Grade: Good results in the pentest or vulnerability scan. Most vulnerabilities, especially those with some impact, were fixed.
B Grade: Decent performance in the pentest or vulnerability scan. Vulnerabilities were fixed, but some exceptions remain.
This grading helps prioritize which vulnerabilities should be addressed first to improve the overall security posture of your system.
If you have any further questions or require assistance with our OrbitX's vulnerability management capabilities, please don't hesitate to contact our support team.
In this help article, we will explain the methodology behind our risk scoring and security grading system, highlighting the key factors we consider.
Risk Score Calculation Factors
The risk score is determined by a weighted average of several factors that collectively assess the severity and potential impact of a vulnerability. These factors include:
Severity Assigned by Security Analysts: We incorporate the severity assigned by our security analysts who evaluate the vulnerability in context of your target. Their expertise and analysis contribute to the overall risk assessment. This parameter is weighed-in only during a manual pentest by pentesters.
CVSS Score: The Common Vulnerability Scoring System (CVSS) provides a standardized method for assessing the severity of vulnerabilities. We take into consideration the CVSS score assigned to the vulnerability, which considers factors such as exploitability, impact, and complexity. We currently use CVSS v3.0 and plan on moving to v4 soon.
Number of Instances: If multiple instances of the same vulnerability are found within the application, we consider this factor to reflect the potential scale of the issue. A higher number of instances increases the risk score, as it indicates a broader attack surface.
Potential Financial Loss: We evaluate the potential financial impact on your organization if the vulnerability is exploited successfully. This assessment takes into account factors such as data loss, service disruption, compliance violations, and other potential consequences.
Average Responsible Disclosure Bounty: We consider the average bounty amount paid on popular platforms such as HackerOne™, Bugcrowd™, and others. This factor helps gauge the value of the vulnerability to the wider security community.
Methodology
To calculate the risk score for a reported vulnerability, each factor is normalized to a common scale (e.g., 0-10) to ensure comparability. We assign weights to each factor based on its relative importance in determining the overall risk. The weights reflect the significance of each factor in influencing the potential impact and exploitability of a vulnerability. Based on the final risk score obtained after averaging the various factors, we assign a security grade to the vulnerability. This grade helps prioritize the order of remediation efforts.
Security Grading Breakdown
The individual risk scores of all vulnerabilities are rolled up to determine the overall security grade for your target. Here’s a breakdown of how the grades are assigned:
A+ Grade: Excellent results in the pentest or vulnerability scan. All vulnerabilities were fixed, and no significant issues remain.
A Grade: Good results in the pentest or vulnerability scan. Most vulnerabilities, especially those with some impact, were fixed.
B Grade: Decent performance in the pentest or vulnerability scan. Vulnerabilities were fixed, but some exceptions remain.
This grading helps prioritize which vulnerabilities should be addressed first to improve the overall security posture of your system.
If you have any further questions or require assistance with our OrbitX's vulnerability management capabilities, please don't hesitate to contact our support team.
Updated on: 18/12/2024
Thank you!