As you add more projects and run more testing, Uleska acts as a centralized repository of this information across your teams and security tools. Through the act of coordinating your security automation, and applying risk and issue categorization, Uleska is implicitly able to track security data, including:
For an overview of Uleska Security Metrics, check out the following video:
These metrics are automatically collected as security testing is orchestrated and aggregated through Uleska, across your projects. Uleska records a marker of metrics every Sunday night for historical tracking purposes. You can view these charts and metrics in the default charts included in the Uleska user interface.
Note that the default charts and graphs represent a core set of useful information for many users, and that this information, and more, is also available through the Uleska API. You can use this API to extract lots of statistics from Uleska and build your own dashboards or charts.
Currently, the charts and metrics can be viewed by the Customer Administration role and the Executive role. The Application Manager role doesn't currently have access to the Analytics and Financials tabs.
Under the Analytics tab you will find pre-built analytics charts for your organization.
The span of projects represented by this Analytics chart depends on the range of applications the current user can view, i.e. the Team the current user is in. If the current user has visibility of all projects, then all will be represented in this chart. If the current user instead has visibility of a sub-team, then this chart will only show aggregated data on the projects in that sub-team. See *** Teams *** for more details on the Uleska team structures.
This first chart that is shown is the overall risk levels for vulnerabilities across your teams and applications.
This bar chart lets you measure your current risk against previous weeks, showing trends in the risk for the last 11 weeks. At the top you will be shown the current risk level ($742,000 in this example) along with the risk value increase or decrease over the last 4 weeks.
This risk information is automatically taken from the weekly snapshots of risk recorded by UIeska as testing is automated through it.
Note that the current week will represent all current testing scans between the current time and the last Sunday night - meaning that if you find brand new issues they will be included in the latest bar chart and information on this screen (you don't need to wait until the next Sunday).
Clicking on the 'Vulnerabilities' tab above this chart will show you current and historical charts of the number of vulnerabilities across your projects.
Again this shows you a historical bar chart on the numbers of vulnerabilities found across projects. It is handy to move between this chart and the previous risk chart, where you can quickly see how some rises or falls in the number of vulnerabilities affect the risk stature. For example, in these screenshots, we can see that an increase in 7 new vulnerabilities in the last 4 weeks (around 5% increase) has increased the risk by over $550,000 (around a 74% increase in risk).
Applications Onboarded Chart
The 'Applications' tab above this chart then shows you the number of applications that have been onboarded to the Uleska Platform with an 11-week historical trend.
This lets you know the rate of onboarding for the last few months, and lets you easily know how many apps are onboarded. You can use this to compare against the expected number of applications you wish to be tested through the Uleska Platform. Again you can quickly switch between this tab and the risk or vulnerabilities tabs to better understand your security story over the last few months. E.g. maybe your risk and number of vulnerabilities have gone up simply because more apps are being tested, which gives you confidence that visibility is improving? Or maybe the risk has gone up but the number of apps has not.
Highest ASVS Risks Chart
Scrolling down the Analytics tab shows you the top 5 categories of ASVS which are resulting in the most risk.
Issues across applications in the Uleska Platform that have their CVSS and ASVS categories set will register in this donut chart to help you understand where your biggest risks are coming from. This lets you know where the gaps seem to be and can inform strategy on how to deal with them (e.g. online training on certain topics, brown bag sessions, etc).
As you continue to fix issues and develop your applications, this top 5 ASVS risks chart will continually update, reflecting the current state of vulnerabilities, so you can keep referring to it.
Security Teams Metrics
At the bottom of the Analytics page you can view the teams metrics table, which shows statistics from each team, including:
This table allows teams to be compared in terms of risk and vulnerabilities. If you click on a row (location or team) and there is a sub-team(s), then the table will expand to show the metrics for them also.
Under the Financials tab you will find pre-built overviews of the risk performance of various teams in your organization.
This tab shows the current risk associated with the high-level locations/teams configured, along with changes over the last week to:
The security metrics are presented for the Global (everyone) ‘team’ which represents all applications in your customer entity (essentially everything), and then further security metrics and charts are generated for each top-level team, such as ‘Atlanta’, ‘Belfast’, and ‘Amsterdam’ as shown above.
If you create further top-level teams, they will dynamically be added to this charting and metrics reporting. Note that you can have as many top-level teams as needed, and the charts presented on these screens can be copied and pasted into your own reports.
The metrics and charts presented for each team includes security statistics for applications (vulnerabilities and risk) assigned to that top-level team or assigned to all sub-teams (i.e. it all rolls up).
Clicking on any of the top-level teams in the tab at the top will update the display to focus the metrics on that location / team, along with displaying the financials table for sub-teams at the bottom of the page.