Contact your Customer Success Manager for early access to this feature.
Once vulnerabilities are detected, teams need to find a way to prioritize them. The burning questions that arise then are:
What must be fixed first?
How can software development organizations determine which security vulnerabilities pose the greatest risk, and which ones demand their immediate attention?
How can development and security teams make sure they are not wasting valuable time fixing security issues that are not their biggest threat?
WhiteSource provides a solution with its new Priority Scoring reports. This is explained in this topic.
WhiteSource’s Priority Score algorithm processes a range of data points (factors) to generate a score between 0 and 100. The scoring algorithm takes into account factors related to business impact per product and project, that are set by the user, and to entities within the system per library or vulnerability.
These are just some of the threat parameters that the algorithm takes into consideration:
CVSS Score (Vulnerability Severity)
Availability of fix
Getting Started with Business Impact Prioritization
Business Impact Factors
The business impact factors are Personally Identifiable Information (PII), Finance Data, Public-Facing, Regulatory Impact, and Bottleneck Dev Team.
Personally Identifiable Information (PII)
Personally Identifiable Information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for deanonymizing previously anonymous data can be considered PII. Applications or products containing this type of information create a higher risk factor when they are exploited, hence a higher business impact.
Security risks to the financial systems have grown in recent years. Vulnerabilities or malicious packages targeting financial institutions are becoming more frequent, sophisticated, and destructive. When a specific application has financial data, it is considered a higher priority to handle.
Bottleneck Dev Team
Eventually, the developers have to remediate security issues. Whether if it’s an upgrade of the open-source version, a change in the configuration, or different mitigation. But, security is sometimes not the top priority for those teams. If a specific team becomes a bottleneck for security, as there are not enough resources to fix vulnerabilities, it may affect the priority score. We may decide to postpone fixing some low severity vulnerabilities for later and deal first with other software development teams.
public-facing applications are programs or systems that are not only accessible from within the internal network but are also accessible from the internet. These applications are responsible for either providing services to the public or allowing access into the internal network. By nature, these applications or products would get a higher prioritization score, as the impact of an exploit is a lot riskier.
Some products, that are at risk of being exploited, can lead to regulatory damage. In terms of prioritization, these products will get a higher business impact score.
In order to set business impact factors for a product, navigate to the relevant product and click Settings. Click Edit business impact and use the toggles to add an impact factor. You can edit the business impact and remove factors from a product at any time.
Project-level Business Impact
When setting a factor for a specific product, the projects under it will automatically inherit these factors. These can be overridden by navigating to the project settings and editing the business impact. Factors inherited from the product-level will have an indication in the tag key. These factors can only be overridden, and cannot be removed.
Priority Scoring for an Organization
At the organizational level, it is required to prioritize different products. From the reports menu, click Product Priority Scoring. The default scope is Organizational; however, you may selectan individual product using the dropdown menu at the top of the report.
The report provides the following information about each product:
Product Name - The standard name of the product
Priority Score - The total score based on the different business impact factors
Business Impact Parameters - The different parameters affecting the score
When clicking the View in report link, the Library Priority Scoring report will be displayed with the context of the specific library.
When drilling down to a specific product, the next step is to prioritize the different libraries that need to be remediated.
The report contains a heatmap (bubble chart) and a prioritization table.
The heatmap is a graphical representation of the prioritization data. Its goal is to provide a high-level view of the libraries that require attention and the overall status of the product.
By default, the x-axis represents the threat, the y-axis represents the impact. The size of the bubble represents the overall score. This can be easily modified using the dropdown menu at the top right side of the screen.
When hovering over the circles, the following information will be displayed:
The prioritization table in the report provides the following information about each library:
Library - The standard name of the library
Threat - The library’s threat score, based on the different factors
Project - The parameters affecting the score
Impact - The score based on the different business impact factors
Project Business Impact - The parameters affecting the impact score
Overall Score - The total score, based on the impact and threat.
Use the toggle within the UI to disable certain factors from the calculation. Note that once a specific factor is disabled, the entire report will be re-generated.
Modifying Factor Weights
Navigate to the Business Impact Settings page located in the organization admin section, where you can configure each business impact factor with a different weight than the default.
The options are High, Medium and Low. After modifying the weights, the scores in the report will be updated with the new ones according to the weights you set.
Adding Custom Business Impact
From the Business Impact Settings page located in the organization admin section, you can add your own business impact factors by clicking Add Custom Business Impact - the default weight of all custom factors is Medium. Only custom business impact factors can be removed.