Understanding the Rating Methodologies
Rating is a measurement of how much of a risk a certain vulnerability poses to the user’s business.
Synopsys strongly recommends that users utilize the Advanced Rating Methodology. This rating methodology allows sites and applications to be evaluated using the same standards. Reports based on the Advanced Rating Methodology use the same rating scale for both sites and applications. In addition, the Advanced Rating Methodology allows users to set priorities for their sites, which enables efficient prioritization and remediation of vulnerabilities according to business needs. |
The Advanced Rating Methodology
In the Advanced Rating Methodology, sites and applications are evaluated in the same way, where the rating is based on Risk.
Risk
Risk includes the following factors:
-
Likelihood: How likely is it that a vulnerability will be exploited? This may be based on how widespread the knowledge of the vulnerability is, how easy it is to exploit, etc.
-
Impact: How much damage may be done to the user’s business if a vulnerability is exploited, as determined by the Threat Research Center.
-
Priority: (Sites only) How important this asset is to the user’s business. Setting a priority for a site is not required however, if no priority is set, priority will not be considered in the Risk calculations.
Likelihood is measured on a scale of 0-9.
Skills Required |
Level of Reward |
Source of Threat |
Required Access/Resources |
|
0 (Low) |
Penetration skills |
None |
Internal developers |
Full access or expensive resources |
1 (Low) |
Penetration skills |
Low |
Internal admins |
Special access |
2 (Low) |
Programming skills |
Possible reward |
Internal admins |
Special access |
3 (Medium) |
Programming skills |
Possible reward |
Intranet users |
Special access or resources |
4 (Medium) |
Advanced computer skills |
Possible reward |
Intranet users |
Special access or resources |
5 (Medium) |
Computer skills |
Possible high reward |
Partners |
Some access |
6 (High) |
Technical skills |
Possible high reward |
Authenticated users |
Some access |
7 (High) |
Technical skills |
Possible high reward |
Anonymous internet users |
Some access or resources |
8 (High) |
Technical skills |
Possible high reward |
Anonymous internet users |
No access required |
9 (High) |
None |
High |
Anonymous internet users |
No access or resources |
Impact is measured on a scale of 0-9.
Data Disclosure |
Data Corruption |
Services Interrupted |
|
0 (Low) |
None |
None |
None |
1 (Low) |
None |
Minimal slightly corrupt data |
Minimal secondary services |
2 (Low) |
Minimal/Non-sensitive |
Minimal slightly corrupt data |
Minimal secondary services |
3 (Medium) |
Minimal/Non-sensitive |
Minimal seriously corrupt data |
Minimal secondary services |
4 (Medium) |
Minimal/Non-sensitive |
Minimal seriously corrupt data |
Minimal secondary services |
5 (Medium) |
Minimal/Non-sensitive |
Extensive slightly corrupt data |
Minimal primary services |
6 (High) |
Minimal sensitive data |
Extensive slightly corrupt data |
Minimal primary services |
7 (High) |
Extensive sensitive data |
Extensive seriously corrupt data |
Extensive secondary services |
8 (High) |
Extensive sensitive data |
Extensive seriously corrupt data |
Extensive primary services |
9 (High) |
All data |
All data |
All services |
Risk is measured by the combination of the likelihood and the net impact, which is the impact after taking site priority into consideration.
Likelihood |
|||
---|---|---|---|
Net Impact |
Low Likelihood |
Medium Likelihood |
High Likelihood |
Low Impact |
Risk: Note |
Low Risk |
Medium Risk |
Medium Impact |
Low Risk |
Medium Risk |
High Risk |
High Impact |
Medium Risk |
High Risk |
Critical Risk |
In the Advanced Rating Methodology, all vulnerabilities are rated according to the Risk associated with the vulnerability for that asset. This is reflected in the Findings page, Dashboard, and in generated Reports.
The Legacy Rating Methodology
In the Legacy Rating Methodology, sites and applications are evaluated differently:
-
Sites are rated according to Severity.
-
Applications are rated according to Risk.
The Legacy Rating Methodology does not incorporate the site priority in its ratings. |
Severity reflects the amount of damage that could be done to the user’s business if a particular vulnerability is exploited. Severity is described as informational, low, medium, high, critical, or urgent. An informational vulnerability reflects a situation where best practices may not be followed, but no actual vulnerability is currently present. In the Legacy Rating Methodology, vulnerabilities found on sites are rated according to the severity of the vulnerability. This is reflected in the Findings page, Dashboard, and in generated Reports.
In the Legacy Rating Methodology, the Rating shown in Reports and Dashboard is based on severity alone. If viewing a particular vulnerability on the Vulnerability Details page, the details displayed under Score. The Score is the combination of severity and threat. |
Threat levels are rated zero to five:
Threat Levels | ||
---|---|---|
Rating |
Threat Level |
Description |
5 |
Urgent |
This is an easily exploited vulnerability, immediate remediation is recommended. |
4 |
Critical |
This is a commonly exploited vulnerability, priority remediation is recommended. |
3 |
High |
This is a regularly exploited vulnerability, priority remediation is recommended. |
2 |
Medium |
This is a moderately difficult vulnerability to exploit. Remediation is recommended. |
1 |
Low |
This is a difficult vulnerability to exploit. Remediation is recommended as possible. |
0 |
Informational |
This is an informational finding with negligible risk. Remediation is recommended as best practice. |
To change your rating methodology, see Changing Your Rating Methodology.