| Table of Contents |
|---|
Insights >> Security
| Info |
|---|
Insights >> Security displays security information on vulnerabilities found in components. |
Information on components’ Security is accessible through Insights >> Security tab.
Security Risk
With Kiuwan Insights you can easily detect those components that have well-known security vulnerabilities.
...
Security Risk Indicator | |
Value | Label |
0 |  |
( 0 , 4 ] | |
( 4 , 7 ] |  |
( 7, 10 ] |  |
Common Vulnerability Scoring System (CVSS) v2
| Info | ||
|---|---|---|
| ||
For every vulnerability, CVSS v2 provides an overall Base Score that “represents the intrinsic and fundamental characteristics of a vulnerability that are constant over time and user environments” (https://www.first.org/cvss/v2/guide) |
...
Kiuwan Insights displays the value for every subcore’s metric.
Below you can find the meaning for every metric but, as a rule of thumb, you can consider that the more left is the value of the metric, the more dangerous is the vulnerability.
Let’s understand the meaning of every metric.
Exploitability metrics
- Attack Vector (AV) : This metric reflects the level of “proximity” the attacker needs to obtain to the system in order to exploit the vulnerability. The more remote an attacker can exploit the vulnerability, the more vulnerable the system is.
- Values : Local - Adjacent - Network ( L / A / N )
- Access Complexity (AC) : Once the target system is reached, this metric reflects the complexity required to exploit the vulnerability (relative to the existence of “barrier conditions”). The easier to exploit the vulnerability, the more vulnerable the system is.
- Values : Low – Medium – High ( L / M / H )
- Authentication (Au) : This metric reflects the number of time the attacked needs to authenticate before being able to exploit the vulnerability. The less times he needs, the more vulnerable the system is.
- Values : Multiple – Single – None ( M / S / N )
Impact metrics
- Confidentiality Impact (C) : This metric reflects the degree in which the vulnerability can read system data and produce confidential information disclosure to non-authorized users.
- Values : None - Partial - Complete ( N / P / C )
- Integrity Impact (I) : This metric reflects the degree in which the vulnerability allows the attacker to modify existing system data, compromising the trust and veracity of data.
- Values : None - Partial - Complete ( N / P / C )
- Availability Impact (A) : This metric reflects the degree in which the vulnerability affects the availability and use of the system.
- Values : None - Partial - Complete ( N / P / C )
| Info |
|---|
Values of above metrics are combined to calculate CVSS v2 Base Score and Exploitability / Impact Subscores as described at https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator |
Common Vulnerability Scoring System (CVSS) v3
CVSS v2 has evolved to v3 (https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator) introducing changes to metrics (new metrics and different possible values).
However, not all vulnerabilities reported to NIST‘s National Vulnerability Database (NVD) have been scored according to v3 guidelines. Indeed, only a subset of them has been re-scored.
| Info |
|---|
Because of this, although Kiuwan Insights displays v3 data (when available), only v2 data will be used when computing components’ Security Risk indicator. |
New vulnerabilities
NIST database is continuously being feed with new vulnerabilities.
What happens if, after the date you run the analysis, new vulnerabilities are found that affect some of your components?
Don’t care. Kiuwan Insights is continuously inspecting NIST database for new vulnerabilities.
| Info |
|---|
If there are new vulnerabilities that affect some of the components of your app, those components will display those new vulnerabilities (marked as New) without the need to run a new analysis. Kiuwan will keep your components inventory up-to-date without the need to run new anlyses. |
...