Understanding and Adjusting Severity Levels

  • Updated

Question

How are the severity levels of the findings determined and is it possible to adjust these?

Answer

The default rankings are baked into the Contrast agent's ruleset. The rules apply an Impact rating (how damaging would it be if this was exploited) and a Likelihood rating (what are the chances of this being exploited). We then use this to assign the severity:

severity.png

We also take into account the confidence level, this is how confident we are that the finding is a true issue.The confidence of a finding indicates the certainty that this is a true vulnerability. The levels of confidence we use are based on the same levels used for CVE confidence. You can see the confidence for a specific rule by going to Policy Management -> Assess Rules, and clicking on the name of a particular rule. The High Confidence filter will show only those issues with the highest level of confidence.

If for any reason you don't agree with the severity Contrast has assigned, it can be tailored to your own preferences. To alter these settings for an entire rule, simply select your name in the top righthand corner of the TeamServer UI and select Policy Management. Then, under 'Assess Rules' you can navigate to the desired vulnerability/finding, click on the gear icon, check 'Override' to modify the severity. If you just wanted to alter the level for a specific vulnerability/finding, you can click on the severity level directly and make the adjustment.

Further Reading

The vulnerabilities and severities are aggregated at the application level and the application score [1] is computed. In addition, Contrast provides a library score [2] for each application library.

  1. Application scoring guide
  2. Library scoring guide

For more details on how the score can be customized for your organization, please see our main documentation site (here).

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request