What are ASVS and CVSS?
When vulnerabilities are returned back into the Uleska Platform by the configured automated security tools and scripts, the Uleska Platform has the ability to capture two categorizations for each vulnerability:
Many security tools and scripts will mark a CVSS value for vulnerabilities they return to the Uleska Platform, though not all will do so. It's possible for tools to associate issues with an ASVS category, though many will not do so. Where a CVSS or ASVS value is returned by a security tool or script, the Uleska Platform will use that value and associate it with the vulnerability.
How Uleska Platform Uses ASVS and CVSS
The Uleska Platform can continue to operate and report issues in the absence of either ASVS or CVSS, however having this information enhances what the Uleska Platform can report in terms of risk and informing on categories of issues to address.
The CVSS is used as part of the cyber value-at-risk calculation, along with the configuration of the application and data sensitivity. If this is missing, the risk value for an issue will not be calculated.
The ASVS is used in the Analytics tab to advise on the highest risk categories you are experiencing and can work to reduce.
Both the ASVS and CVSS are included in output reports via PDF, CSV, and JSON via the API.
How the Uleska Platform can Learn ASVS and CVSS
As mentioned, some tools will not return an ASVS or CVSS value. In this case, you can teach the Uleska Platform the ASVS and CVSS settings you would like it to set for issues. As issues are returned that do not have a setting, you can add those values through the user interface, and Uleska will learn your categorizations for both ASVS and CVSS, so that anytime a similar vulnerability is returned into the Uleska platform, it will automatically be marked as the same category.
This means you do not need to continually set an ASVS or CVSS value for every issue (which would become unmanageable), instead you set it once against an issue, and for every other issue that matches (same tool, title, description) the Uleska Platform will automatically allocate that same ASVS or CVSS value. You can reset these values at any time.
For the same issues found in future scans, they will automatically have the values set. For existing issues that are the same, you can have the Uleska Platform update in two ways:
When viewing the list of vulnerabilities for a version, you can click the small calculator icon (with the label 'Recalculate') on the right-hand side of an issue, which will cause it to update the risk score and CVSS/ASVS values if they've been set.
You can ask the Uleska Platform to regenerate the risk values for all issues in all applications, which will also use updated CVSS settings. To do this click on the 'Configuration' menu, and under the 'Value at Risk' tab, scroll to the bottom and click 'Save & Recalculate'.
Setting ASVS and CVSS
The values for ASVS and CVSS can be set through the user interface when viewing the issues in a results set (clicking on 'Results' for a tested version).
To set the ASVS or CVSS:
For more information on CVSS and prioritizing the technicality of security bugs, go to https://www.first.org/.