Customizing Your Risk Ratings

Sentinel now allows you to customize the vulnerability ratings for specific vulnerability classes on specific sites.

About Customizing Ratings

Rating customization is based on customer-defined policies. Each policy is a set of rules specifying how vulnerabilities of particular classes should be rated. When a policy is applied to a particular site, vulnerabilities found on that site will be rated based on the custom policy. Policies are the key to custom ratings.

Risk ratings can also be individually customized for specific vulnerabilities based on the Vuln ID. If a specific vulnerability is given a customized rating, that rating will override any risk rating policy that might otherwise apply. If the individual customization is removed, the policy will not be automatically re-applied to the vulnerability; if you re-save the policy, however, and it is set for the vulnerability class and asset involved, then the policy will be re-applied to that specific vulnerability.

To set your ratings by Policy, please see "Risk Policy."

To set a rating for a specific individual Vulnerability, please see "Customizing or Accepting Risk."

Policies

Policies can be created, assigned, editing, removed, and deleted very flexibly:

  • Create a Policy — create a set of rules governing how specific vulnerability classes should be rated.

  • Assign a Policy — until a particular policy is assigned to an asset, it has no affect on vulnerability ratings.

  • Update a Policy — if your desired standards change, you can edit a policy to update it, and those updates will apply for all assets that are governed under that policy, currently or in the future.

  • Unassign a Policy — You can remove the association to a particular policy from an asset. When an asset is no longer associated with a policy, it will return to the default WhiteHat ratings.

  • Delete a Policy — Policies can be deleted; however, no policy can be deleted while it is still actively associated with an asset. First unassign the policy; only then can it be deleted.

The vulnerability detail page will show you the policy name, who assigned the policy, and the date the policy was assigned.

In addition to managing policies in the WhiteHat Portal UI (under Admin/Risk Management), policies can be managed via the command line (see https://github.com/whitehatsec/whscmd for documentation) or via the API (see https://apidocs.whitehatsec.com/whitehat#Vuln-Custom-Policy-API).

Policy Change Alerts

Whenever a policy is created, assigned (attached), updated (edited), unassigned (detached), or deleted, an alert will be created in the Alerts tab of the Summary page showing the date, action (alert type), who made the change, and what asset is affected.

Please Note

  • The ratings policy feature is available only to customers using the Advanced Rating Method.

  • Only a Client Administrator can create, edit, delete, assign, or un-assign policies.

  • Once a policy is assigned to a site, it will change the ratings for all vulnerabilities of that class on that site. If a policy sets the rating of the Directory Traversal vulnerability class to Critical, and the policy is assigned to Site A, then all Directory Traversal vulnerabilities found on Site A will be rated as Critical.

  • Customized ratings will display a customization symbol (a set of sliders: customized icon) next to the rating value on the findings page. Click on the blue (linked) customization symbol to see a popup that specifies whether the customization is based on a policy or is an individual customization for that specific vulnerability, the nature of the change, and the user who applied the policy or made the change.