WhiteHat Security Index (WSI) Report

This table describes each sites' security index, recommended actions and security index trend.

The following individual site report shown below gives details for each site. The site-specific pages will show you:

Service Duration reflects the length of time that a site has been under contract as of the date of evaluation. Service Duration is important: the longer we have had the slot under contract the more detail we have collected about it, and the more effective testing is. Service Duration for a slot is compared to the Service Duration across all slots and clients at the same service level (BE, SE, PE, etc.).

Vulnerability History consists of the number of vulnerabilities that are open compared to the number that have been closed as of the date of the evaluation. By including closed vulnerabilities as mitigating factors in this metric, we reward people who are closing vulnerabilities reliably. Closing vulnerabilities is a better indication of security than not having discovered vulnerabilities in the first place because it demonstrates an active security stance that involves seeking out and remediating vulnerabilities.

The longer a vulnerability is open, the more negatively it will affect the WSI; the more promptly a vulnerability is closed, the greater the reward is for closing it. Additionally, vulnerabilities are weighted based on how common they are and the threat and severity associated with the vulnerability.

Slots that need authentication and do not have properly configured login handlers are evaluated as being less secure because sections of that site are not being scanned. If the client has not indicated that login handlers are unnecessary, and the service level for the slot is PE or SE, it is assumed that login handlers are required. (BE slots are presumed not to need login handlers unless they are configured to require one.) The Missing Authentication measure assumes the worst, it defaults to the assumption that the site has a large number of open vulns, because there is no way for Synopsys to confirm that they do not.

Scan frequency looks at the number of scans completed each week. The more regularly a site is scanned, the more likely vulnerabilities are to be detected before they can be exploited. When scans are performed frequently, even minor changes are reviewed in a timely way. Scan frequency also evaluates whether there are sufficient resources allocated to scanning to allow scans to complete reliably.

PCI compliance is a measure of the historical PCI compliance for a given slot as of the date of evaluation. PCI compliance is largely based on vulnerability category; however, it is also affected by threat and severity values. The service level for a site may limit the nature and type of vulnerabilities that can be detected on a site; a PE site that is non-compliant might be evaluated as being 'compliant' if it were evaluated at the BE service level. Therefore, values for slots with lower service levels will be adjusted to account for the vulnerabilities that may not be discovered at this level.

Window of Exposure is a measure of the number of days out of the last 30 days that the site was exposed to a particular vulnerability. Again, a weighting factor is used to adjust for the inconsistencies that may result from differing service levels, and the Window of Exposure is tracked over 180 days not just the number of days out of 30 count in order to monitor a pattern of behavior, rather than only the events of the past month.

Larger and more complicated sites have a larger surface vulnerable to attack and are therefore intrinsically less secure; Site Complexity uses the number of form elements and the number of POST/PUT requests on the site as a rough measure of the attack surface. The size of the site can be estimated based on the number of GET requests made during scanning.

Clients can disable the scanning for Predictable Resource Location vulnerabilities; therefore, the index corrects for this by including the effect that could be associated with those vulnerabilities. That is, since scanning for the vulnerability is disabled, the index treats the site as if it were in fact untrustworthy, estimating the number of predictable resource location vulnerabilities to be high.

The WSI can be used to monitor the security status of assets. Specifically, you can use the WSI to:

Your WSI report recommends a set of actions that site owners can take to improve asset security. This includes an ordered list of top vulnerabilities that need to be fixed to improve the score, along with configuration-related recommendations such as increasing scan frequency, providing a scan schedule, or providing missing credentials.

There are a few prerequisites for the WSI score to be available.