Changing the severity of an issue by modifying its CVSS score

Changing issue severity is done on an issue by issue basis so that you analyze each vulnerability as it relates to your business risk. During issue triage, you can change the severity of an issue by manually overriding the precalculated CVSS score with the severity value so that you can prioritize its severity relative to other issues. Modifying the severity helps you convey an issue's criticality to development and management so that the more critical vulnerabilities are fixed first.

About this task

This example demonstrates how to override the severity of an issue.

watch youtube video: Working with CVSS in AppScan Enterprise: the Security Champion's perspective

Procedure

  1. In an application, click the Issue ID of the issue.

    The issue list of an application.
  2. Click Edit Attributes in the About this Issue dialog.
  3. If the Base metrics (Access Vector, Access Complexity, Authentication, Confidentiality Impact, Integrity Impact, Availability Impact) display as unknown (blank), select a value for each of them.
    In this screen capture, the CVSS Base metrics are unknown, there is no CVSS score, and the issue severity is High.
    The About this Issue dialog for an issue.
  4. Change the Severity Value to Use CVSS.
    Note: If you only change the Severity Value but you don't change the Base metrics, the issue is categorized in the issue list as Undetermined, which means that the severity formula cannot accurately calculate the severity because information that it uses in its calculation is missing.
    In this screen capture, we enabled the display of the Severity Value column so that we can see that the severity is manually overridden.The updated issue list of an application.

Results

Here's how we triaged the highlighted issues in this next screen capture:
  • Issue #5: We modified the CVSS Base metrics but did not change the Severity Value from its original High categorization. The calculated CVSS score is now 5.3 and the High severity categorization remains unchanged.
  • Issue #7: We modified the CVSS Base metrics and changed the Severity Value to Use CVSS. The calculated CVSS score is 6.4, and now the severity categorization is Medium.
  • Issue #3: We did not modify the CVSS Base metrics, but changed the Severity Value to Use CVSS. Because the Base metrics are unknown, there is not enough information to calculate the CVSS score, and so the severity categorization is Undetermined.

Samples of issue severity triaging