When our pentesters find vulnerabilities, they also identify severity levels. This helps you understand the associated risk to the business.
The OWASP Risk Rating Methodology specifies High, Medium, and Low levels. We’ve added Critical and Informational levels to help you prioritize our findings.
We follow the standard risk model described by OWASP, where:
Risk = Likelihood * Impact
In this case, the risk rating is based on the following factors:
Likelihood: Specifies the probability of exploiting the finding. May include factors such as:
- Skill required for an attacker to exploit a vulnerability
- Availability of documented exploits
- Ease of exploiting the vulnerability
Impact: Depends on the effect on technical and business operations. May include:
- Loss of confidentiality
- Problems with data integrity
- Reduced availability of data or systems
- Potential losses of money or reputation
When our pentesters find vulnerabilities, they use the standard OWASP risk model and then classify them into one of the following levels:
|Critical||25||Includes vulnerabilities that require immediate attention.|
|High||16-24||Impacts the security of your application/platform/hardware, including supported systems. Includes high probability vulnerabilities with a high business impact.|
|Medium||5-15||Includes vulnerabilities that are: medium risk, medium impact; low risk, high impact; high risk, low impact.|
|Low||2-4||Specifies common vulnerabilities with minimal impact.|
|Informational||1||Notes vulnerabilities of minimal risk to your business.|
Once our pentesters assign a severity level, we move the finding to Pending Fix, as described in our Finding States.
Aggregated Risk is the sum of the risks of individual findings discovered in a pentest.
You can view the Aggregated Risk for an asset on the Assets and Insights pages. For details, point to the tooltip on a specific page.