Changing the severity of an issue by modifying its CVSS score
Changing issue severity is done on an issue by issue basis so that you analyze each vulnerability as it relates to your business risk. During issue triage, you can change the severity of an issue by manually overriding the precalculated CVSS score with the severity value so that you can prioritize its severity relative to other issues. Modifying the severity helps you convey an issue's criticality to development and management so that the more critical vulnerabilities are fixed first.
About this task
: Working with CVSS in AppScan Enterprise: the Security Champion's perspective
Procedure
- In an application, click the Issue ID of
the issue.
- Click Edit Attributes in the About this Issue dialog.
- If the Base metrics (Access Vector, Access Complexity,
Authentication, Confidentiality Impact, Integrity Impact, Availability
Impact) display as unknown (blank), select a value for each of them.
In this screen capture, the CVSS Base metrics are unknown, there is no CVSS score, and the issue severity is High.
- Change the Severity Value to Use
CVSS.Note: If you only change the Severity Value but you don't change the Base metrics, the issue is categorized in the issue list as Undetermined, which means that the severity formula cannot accurately calculate the severity because information that it uses in its calculation is missing.In this screen capture, we enabled the display of the Severity Value column so that we can see that the severity is manually overridden.
Results
Here's how we triaged the highlighted issues in this next
screen capture:
- Issue #5: We modified the CVSS Base metrics but did not change the Severity Value from its original High categorization. The calculated CVSS score is now 5.3 and the High severity categorization remains unchanged.
- Issue #7: We modified the CVSS Base metrics and changed the Severity Value to Use CVSS. The calculated CVSS score is 6.4, and now the severity categorization is Medium.
- Issue #3: We did not modify the CVSS Base metrics, but changed the Severity Value to Use CVSS. Because the Base metrics are unknown, there is not enough information to calculate the CVSS score, and so the severity categorization is Undetermined.