Understanding the Rating Methodologies

Rating is a measurement of how much of a risk a certain vulnerability poses to the user’s business.

NTT Application Security strongly recommends that users utilize the Advanced Rating Methodology. This rating methodology allows sites and applications to be evaluated using the same standards. Reports based on the Advanced Rating Methodology use the same rating scale for both sites and applications. In addition, the Advanced Rating Methodology allows users to set priorities for their sites, which enables efficient prioritization and remediation of vulnerabilities according to business needs.

The Advanced Rating Methodology

In the Advanced Rating Methodology, sites and applications are evaluated in the same way, where the rating is based on Risk.

Risk

Risk includes the following factors:

  • Likelihood: How likely is it that a vulnerability will be exploited? This may be based on how widespread the knowledge of the vulnerability is, how easy it is to exploit, etc.

  • Impact: How much damage may be done to the user’s business if a vulnerability is exploited, as determined by the Threat Research Center.

  • Priority: (Sites only) How important this asset is to the user’s business. Setting a priority for a site is not required however, if no priority is set, priority will not be considered in the Risk calculations.

Risk is measured by the combination of the likelihood and the net impact, this is based on the impact and priority of any vulnerability associated with this asset.

Likelihood

Net Impact

Low Likelihood

Medium Likelihood

High Likelihood

Low Impact

Risk: Note

Low Risk

Medium Risk

Medium Impact

Low Risk

Medium Risk

High Risk

High Impact

Medium Risk

High Risk

Critical Risk

In the Advanced Rating Methodology, all vulnerabilities are rated according to the Risk associated with the vulnerability for that asset. This is reflected in the Findings page, Dashboard, and in generated Reports.

The Legacy Rating Methodology

In the Legacy Rating Methodology, sites and applications are evaluated differently:

  • Sites are rated according to Severity.

  • Applications are rated according to Risk.

The Legacy Rating Methodology does not incorporate the site priority in its ratings.

Severity reflects the amount of damage that could be done to the user’s business if a particular vulnerability is exploited. Severity is described as informational, low, medium, high, critical, or urgent. An informational vulnerability reflects a situation where best practices may not be followed, but no actual vulnerability is currently present. In the Legacy Rating Methodology, vulnerabilities found on sites are rated according to the severity of the vulnerability. This is reflected in the Findings page, Dashboard, and in generated Reports.

In the Legacy Rating Methodology, the Rating shown in Reports and Dashboard is based on severity alone. If viewing a particular vulnerability on the Vulnerability Details page, the details displayed under Score. The Score is the combination of severity and threat.

Threat levels are rated zero to five:

Threat Levels

Rating

Threat Level

Description

5

Urgent

This is an easily exploited vulnerability, immediate remediation is recommended.

4

Critical

This is a commonly exploited vulnerability, priority remediation is recommended.

3

High

This is a regularly exploited vulnerability, priority remediation is recommended.

2

Medium

This is a moderately difficult vulnerability to exploit. Remediation is recommended.

1

Low

This is a difficult vulnerability to exploit. Remediation is recommended as possible.

0

Informational

This is an informational finding with negligible risk. Remediation is recommended as best practice.

To change your rating methodology, see Changing Your Rating Methodology.