Customizing Values by Policies

WhiteHat Portal Administrator accounts can add or edit a risk management policy, customize or accept the business risk ratings of vulnerability classes for one or more assets. (Accepted risks will be shown as accepted and display the default WhiteHat risk rating.)

Creating a Risk Management Policy

To create a Risk Management Policy, perform the following steps:

  1. From the main WhiteHat Portal menu, click Admin.

    risk policy 1

  2. Select the Risk Management tab.

  3. Click Create Policy.

  4. Type a Policy Name in the text field provided.

    risk policy 2

  5. Optionally, type a Description in the text field provided.

  6. Select the Asset Type from:

    • Sites & APIs

    • Applications

    • Mobile Applications

  7. Optionally, type a Reason in the text field provided.

  8. Click Next.

  9. To Search for a Vulnerability Class type in the search bar.

    risk policy 4

  10. Click the Risk Rating to set a custom rating.

  11. Select the Custom Risk Rating for the vulnerability class.

    risk policy 5

  12. Click the CVSS Score to set a custom rating.

  13. Select the ratings for the Custom CVSS Score.

    risk policy 6

  14. Optionally, click the Accept Risk checkbox to accept the overall vulnerability class as a business risk.

    Accepting Risk is not recommended for general vulnerability classes as this includes all vulnerability subclasses.

  15. Click Next.

  16. Select All Groups to display all assets or, select an existing asset group.

    risk policy 7

  17. From the Available table, select the assets that you want to include in the policy. To locate specific assets, use the Search bar at the top of the Available or Selected columns. You can also click Select All to select all available assets.

  18. Click Save to assign the assets and create the policy.

The customized ratings are used for the assigned assets for reports and for display in the WhiteHat Portal. However, the WhiteHat Security Index and the PCI 3.2 Compliance Reports use the default WhiteHat values for the vulnerabilities.

Editing a Risk Management Policy

To edit a Risk Management Policy, perform the following steps:

  1. From the main WhiteHat Portal menu, click Admin.

    edit risk policy 1

  2. Select the Risk Management tab.

  3. Select the Policy Name.

  4. Click Edit Policy.

    edit risk policy 2

  5. Edit the Risk Management Policy, you can edit the Policy Name, Description, the Vulnerability Customizations, or the Assigned Assets.

    edit risk policy 3

  6. Click Save and Exit to finish editing.

Deleting a Risk Management Policy

To delete a Risk Management Policy all associated assets must be removed. To remove associated assets, perform the following steps:

  1. From the main WhiteHat Portal menu, click Admin.

    edit risk policy 1

  2. Select the Risk Management tab.

  3. Select the Policy Name.

  4. Click Edit Policy.

    edit risk policy 2

  5. Click Next.

    delete risk policy 1

  6. Click Next.

    delete risk policy 2

  7. Click Select All.

    delete risk policy 3

  8. Click the left facing arrow to move the Assets from the Selected table to the Available table.

  9. Click Save and Exit.

  10. Click the checkbox beside the Policy Name.

    delete risk policy 4

  11. Click the Bulk Actions icon.

  12. Select Delete Policy.

  13. Click Confirm to delete the custom policy.

    delete risk policy 5

<div class="videoblock"> <div class="content"> <iframe width="100%" height="500" src="https://player.vimeo.com/video/741990067" frameborder="0" allowfullscreen></iframe> </div> </div>