How Astra calculates the Risk Rating & Security Grade
Astra's vulnerability management solution provides a comprehensive approach to assessing and mitigating security vulnerabilities in your applications. As part of this process we assign a risk score to each reported vulnerability which helps prioritize remediation efforts, and also a security grade (A through F) to indicate the security level of your target.
In this help article, we will explain the methodology behind our risk scoring and security grading system, highlighting the key factors we consider.
The risk score is determined by a weighted average of several factors that collectively assess the severity and potential impact of a vulnerability. These factors include:
Severity Assigned by Security Analysts: We incorporate the severity assigned by our security analysts who evaluate the vulnerability. Their expertise and analysis contribute to the overall risk assessment.
CVSS Score: The Common Vulnerability Scoring System (CVSS) provides a standardized method for assessing the severity of vulnerabilities. We take into consideration the CVSS score assigned to the vulnerability, which considers factors such as exploitability, impact, and complexity.
Number of Instances: If multiple instances of the same vulnerability are found within the application, we consider this factor to reflect the potential scale of the issue. A higher number of instances increases the risk score, as it indicates a broader attack surface.
Potential Financial Loss: We evaluate the potential financial impact on your organization if the vulnerability is exploited successfully. This assessment takes into account factors such as data loss, service disruption, compliance violations, and other potential consequences.
Average Responsible Disclosure Bounty: We consider the average bounty amount paid on popular platforms such as HackerOne, Bugcrowd, and others. This factor helps gauge the value of the vulnerability to the wider security community.
To calculate the risk score for a reported vulnerability, each factor is normalized to a common scale (e.g., 0-10) to ensure comparability. We assign weights to each factor based on its relative importance in determining the overall risk. The weights reflect the significance of each factor in influencing the potential impact and exploitability of a vulnerability. Based on the final risk score obtained after averaging the various factors, we assign a security grade to the vulnerability. This grade helps prioritize the order of remediation efforts.
If you have any further questions or require assistance with our vulnerability management solution, please don't hesitate to contact our support team.
In this help article, we will explain the methodology behind our risk scoring and security grading system, highlighting the key factors we consider.
Risk Score Calculation Factors
The risk score is determined by a weighted average of several factors that collectively assess the severity and potential impact of a vulnerability. These factors include:
Severity Assigned by Security Analysts: We incorporate the severity assigned by our security analysts who evaluate the vulnerability. Their expertise and analysis contribute to the overall risk assessment.
CVSS Score: The Common Vulnerability Scoring System (CVSS) provides a standardized method for assessing the severity of vulnerabilities. We take into consideration the CVSS score assigned to the vulnerability, which considers factors such as exploitability, impact, and complexity.
Number of Instances: If multiple instances of the same vulnerability are found within the application, we consider this factor to reflect the potential scale of the issue. A higher number of instances increases the risk score, as it indicates a broader attack surface.
Potential Financial Loss: We evaluate the potential financial impact on your organization if the vulnerability is exploited successfully. This assessment takes into account factors such as data loss, service disruption, compliance violations, and other potential consequences.
Average Responsible Disclosure Bounty: We consider the average bounty amount paid on popular platforms such as HackerOne, Bugcrowd, and others. This factor helps gauge the value of the vulnerability to the wider security community.
Methodology
To calculate the risk score for a reported vulnerability, each factor is normalized to a common scale (e.g., 0-10) to ensure comparability. We assign weights to each factor based on its relative importance in determining the overall risk. The weights reflect the significance of each factor in influencing the potential impact and exploitability of a vulnerability. Based on the final risk score obtained after averaging the various factors, we assign a security grade to the vulnerability. This grade helps prioritize the order of remediation efforts.
If you have any further questions or require assistance with our vulnerability management solution, please don't hesitate to contact our support team.
Updated on: 29/05/2023
Thank you!