How Do We Grade Vulnerability Scans?
Grading vulnerability scans involves a systematic approach to assess the security posture of systems. The following steps outline the process used to evaluate vulnerabilities.
Written by Chris Zator
Updated at November 27th, 2024
- User Manual
- Self Onboarding Guide
- Agents
- The Cyber Risk Assessment Process
- PSA Integrations
- General Questions and Troubleshooting
- The Cyber Risk Assessment Process (Video Tutorials)
- Sales and Prospecting Articles
- CYRISMA Partner Portal Access
- Glossary
- API Documents
- CYRISMA Change Log
- Support Ticket SLA
- Billing Questions
Table of Contents
Step 1: Review CVSS Scores
- We begin by reviewing the CVSS (Common Vulnerability Scoring System) score assigned to each identified CVE (Common Vulnerabilities and Exposures). This score helps us understand the severity of each vulnerability.
Step 2: Analyze Vulnerability Percentage per Host
- Next, we calculate the percentage of vulnerabilities found for each host based on the total number of vulnerabilities we scan for. This analysis provides insight into how vulnerable each individual host is relative to the overall environment.
Step 3: Assess Higher-Risk Vulnerabilities
- Finally, we focus on the number of vulnerabilities that have a CVSS score of 4 or above. These scores indicate vulnerabilities that pose a moderate to high risk and require immediate attention.
Risk Algorithm:
- We take all these elements—CVSS scores, percentage of vulnerabilities per host, and the count of higher-risk vulnerabilities—and input them into our risk algorithm. This algorithm generates a comprehensive grading system for the vulnerability scan, allowing us to prioritize remediation efforts effectively.