When the Uleska platform runs security testing, it will apply a default level of risk based on CVSS values coming back from security tools run as part of the toolkit.
The Uleska platform can enhance risk analysis of issues by combining vulnerabilities returned by security tools, and incorporating security risk information provided within Uleska.
To configure overall risk information:
This information is specific to the FAIR Institute model of running cyber Value At Risk (VAR). More details can be found in their documentation, or contact Uleska and we will be able to help you in setting this up.
These elements help define what kind of risk configurations and inputs are used to determine the overall risk of each individual vulnerability found.
You can edit:
Loss Event Frequency Modifiers Change the definition of how likely an issue is to occur, into a numerical value, to allow risk calculation to happen.
Refer to your organisation’s risk teams for more information of the configuration, or the FAIR institute documentation.
When you click Save, risk calculations will then be used for any subsequent test
If you have modified the values and want them to be applied retrospectively. Clicking Save & Recalculate will go back through historical tests and vulnerabilities, and recalculate risk based on the new values you have provided. This will take a few minutes to take effect.
For specific risk information, click the Edit on your Application.
On the right, there are configurations that let the cyber Value At Risk calculation understand better the context of the Application.
You can specify:
If you’re not sure what values to use, there are many defaults you can apply based on your estimations, which will help the risk calculations provide a more specific result.
For more specific information, click Edit for the Version you would like to view, then select the Web Pages tab.
You can specify the types of assets that will be used.
Affected Assets:
Path:
You can assign a Path to a particular part of the system through URL or code file. Or you can enter Wildcard, which will specify all parts of the Application, while you manually specify the Affected Assets.
This makes it easier for the system’s risk analysis to understand the context of the data that is being applied by this part of the code.
When you have more specific files or areas of the code into the Path, this will apply data sensitivity to any issues that directly meet these Paths being returned by the tool.