What Impact and Probability Mean
Impact and Probability as seen in AppCheck vulnerabilities are a concept shared with the The Common Vulnerability Scoring System (CVSS). While AppCheck vulnerabilities will not always feature exactly the same ratings seen in CVSS, the definitions of the terms are the same.
Impact
This indicates how severe the damage is likely to be if the vulnerability is exploited.
An example of an exploited high impact vulnerability might result in a massive data leak, or your system being brought offline.
An example of an exploited low impact vulnerability might result in the exposure of server configuration information.
Low impact vulnerabilities may be combined with other vulnerabilities to enable a high impact attack. For example if the attacker is able to learn some details about your system from a low impact vulnerability, they may then be able to utilise a high impact vulnerability in that system.
Probability
This indicates the likelihood of the vulnerability being exploited. CVSS includes a base value, which essentially indicates how difficult the vulnerability is to exploit, and modifiers to that base value, for example the probability may increase as known exploit code becomes available. The probability seen in AppCheck is comparable only to the base CVSS rating and does not include modifiers.
How AppCheck Produces Impact and Probability Values
Many Impact and Probability ratings in AppCheck will be derived directly from the CVSS scores listed in a number of public databases, while others are the opinion of our own developers.
Ratings Imported from CVSS
AppCheck imports ratings for known vulnerabilities from public databases on a regular basis.
There are multiple versions of CVSS scoring available. While AppCheck imports version 2, 3 and 4 scores for new vulnerabilities, old vulnerabilities do not receive scores using the newer systems.
Ratings Produce by AppCheck
AppCheck produces its own ratings in two situations:
- When the vulnerability is a zero-day vulnerability discovered by AppCheck
- When a known vulnerability in a product is found, but does not have ratings specified in the public databases
While AppCheck's own scores are usually in line the industry-accepted ratings as you might expect to see in a manual penetration test they can differ in cases where our developers deem it appropriate.
Some AppCheck ratings are set dynamically depending information gleaned through the scanner's automated investigation, meaning a vulnerability in one location may be given a different rating from a vulnerability found in another location, in a similar way to how CVSS would apply an environmental modifier.
Comments
0 comments
Article is closed for comments.