An application vulnerability calculator is a pre-defined formula to calculate a target field when certain criteria are met. Calculators, which calculate the application vulnerable item (AVI) Risk Score, can contain Risk Rules. Risk calculations offer insight in prioritizing remediation.

Before you begin

Role required: App-Sec Manager group

Note: You may notice performance degradation when running application vulnerability calculators that contain scripts.

Order your rules to run the simplest rules first. Only run scripts on the items that cannot be handled with a condition and template value or a risk rule.

Procedure

  1. Navigate to All > Application Vulnerability Response > Administration > Vulnerability Calculators.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Table 1. Vulnerability calculator form
    FieldDescription
    Name The name of the application vulnerability calculator.
    Table Auto-filled with the name of the AVI table.
    Application Auto-filled with Vulnerability Response.
    Target field Field to calculate.
    Description Text description of the calculator.
    Active Turn the calculator on or off.
  4. Right-click in the header to Save.
    The Vulnerability Calculator Rules section appears.
  5. Create a rule for the calculator by clicking New.
    Note: For the New Risk Rules form (only available when the Target field is Risk Score) see step 10.
  6. Fill in the fields, as appropriate.
    Table 2. Vulnerability Calculator Rule form
    FieldDescription
    Name Name of the calculator rule.
    Order The order in which to run the vulnerability calculator. A calculator with an order entry of 100 runs before a calculator with an order entry of 200.
    Calculator Auto-filled with the calculator parent.
    Active By default the Active check box is selected, which means the calculator rule is active. If you clear this check box, this rule does not apply to new vulnerable items created in the system.
    Advanced view When selected, scripted conditions and scripted values can be selected from Condition type and Value type.
  7. Fill in the fields in the When this condition is met tab, as appropriate.
    Table 3. When this condition is met tab
    Field Description
    Condition type Available when you select the Advanced view. Choices include:
    • Filter: Uses filter conditions.
    • Filter group: See create and define filter groups to define the calculator criteria.
    • Script: Script condition used to determine when to apply this calculator.
      Note: Before you write scripts for determining when to apply the calculators, return to the Application Vulnerability Calculators list. Explore the vulnerability calculator records shipped with the base system.
    Condition Defines basic filter conditions for determining whether to use the calculator or not.

    Selecting either the Filter group or Script condition types, hides this field.
  8. Click the Set these values tab and fill in the fields on the form, as appropriate.
    Table 4. Set these fields tab
    Field Description
    Value type Available when you select the Advanced view. Choices include:
    • Template: Define the values to set on each field.
    • Script: Used to set the values on each field.
    Script values Available if you selected the Script value type.

    Defines what values to apply the calculations to.
    Template Select the fields and values you want to use for the calculator.

    Selecting either the Script value type, hides this field.
  9. When you have completed all entries, click Submit.
    Note: When you edit an existing calculator, and you want to update all existing scores, you can use the Reapply Calculator button. It runs through all active AVIs, and if that calculator would be used to set its value, recalculates the value for those AVIs. Since reapplying a calculator can take a long time, a scheduled job handles it.
  10. For the New Risk Rules form, fill in the fields as appropriate.

    Set each weight according to the percentage of the result that should come from that value. For any data that your scanner does not provide, or for data that should not be part of the risk score, set the weight to zero.

    As you update the weights, scenarios display the weights remaining, as well as anticipated Risk Score results.

    Field Description
    Name Name of the calculator rule.
    Order The order in which to run the calculator. A calculator with an order entry of 100 runs before a calculator with an order entry of 200.
    Calculator Auto-filled with the calculator parent.
    Active By default the Active check box is selected, which means the calculator rule is active. If you clear this check box, this rule does not apply to new vulnerable items created in the system.
    Condition Defines basic filter conditions for determining whether to use the calculator.

    Selecting either the Filter group or Script condition types, hides this field.
    Weights
    Vulnerability Severity Percentage of the result that comes from severity.
    OWASP top 10 Percentage of the result that comes from the vulnerability's presence in the OWASP top 10 list. If this information is not present in your vulnerabilities, set the weight to zero.
    SANS top 25 Percentage of the result that comes from the vulnerability's presence in the SANS top 25 list. If this information is not present in your vulnerabilities, set the weight to zero.
    Running total Auto-computed percentage totals. When this value reaches 100, the Scenario preview shows sample risk scores in different scenarios.
    Sample scenarios When all weights total 100%, risk score scenarios display, providing a preview of the risk score in some of the possible scenarios.
    Sample Vulnerability Risk Rule with updated field values. Each weight is set according to the percentage of the result that should come from that value.
  11. Click Submit.