Home
Managing application risk
Follow this workflow to manage application security risks in your organization.
Step 3: Determining risks and prioritizing vulnerabilities
Learn how to determine risks and prioritize vulnerabilities identified in an application.
Determining risk
Now that management and security analysts have a comprehensive view of the applications across the enterprise, it's time to get a complete picture of the application security risk. Use formulas to create rules for automated application asset classification. The automated calculation of an application security risk rating is based on the application's description and discovered vulnerabilities.
Customizing the risk rating formula
The risk rating formula is the most important attribute that you use to describe your applications. Use this example to customize the built-in risk rating. In this example, the business impact is calculated automatically, based on different application attributes.

Managing application risk
Follow this workflow to manage application security risks in your organization.
- Step 1: Creating an application inventory
  Learn how to create an application inventory.
- Step 2: Testing applications for vulnerabilities
  Learn how to test vulnerabilities identified in an application.
- Step 3: Determining risks and prioritizing vulnerabilities
  Learn how to determine risks and prioritize vulnerabilities identified in an application.
  - Determining risk
    Now that management and security analysts have a comprehensive view of the applications across the enterprise, it's time to get a complete picture of the application security risk. Use formulas to create rules for automated application asset classification. The automated calculation of an application security risk rating is based on the application's description and discovered vulnerabilities.
    - Formula components
      Product administrators can use any of the following components in your attribute formulas.
    - Examples of Functions
      These functions are used in the attribute formulas.
    - Built-in Formulas
      Use built-in formulas as a starting point to create or customize your own formulas.
    - Customizing the risk rating formula
      The risk rating formula is the most important attribute that you use to describe your applications. Use this example to customize the built-in risk rating. In this example, the business impact is calculated automatically, based on different application attributes.
    - Creating attributes with formulas
      Create and edit attributes that contain formulas to calculate the risk ratings for applications or to display issue information in application summaries. Delete formula attributes that are no longer relevant.
    - Modifying formulas
      You can modify AppScan Enterprise's built-in formulas to customize them for your business needs. For example, the Open Issues formula includes new, open, and reopened issues in its calculations. That might not fit with your requirements, so you can modify it to only include open and reopened issues.
    - Determining issue severity
      Security analysts can use CVSS scores to determine issue severity and prioritize vulnerability fixes for their organization.
  - Prioritizing Vulnerabilities
    Learn how to prioritize vulnerabilities identified in an application.
- Step 4: Remediating risks
  Learn how to remediate risks identified in an application.
- Step 5: Measuring progress and demonstrating compliance
  Learn how to measure progress and demonstrate compliance.

Customizing the risk rating formula

The risk rating formula is the most important attribute that you use to describe your applications. Use this example to customize the built-in risk rating. In this example, the business impact is calculated automatically, based on different application attributes.

About this task

Note: User role: Product Administrator

Ensure that you understand Built-in Formulas.

If you are a security analyst (or a similar role), you probably care about key information about your applications. For example:

Exposure
PCI requirement
SOX requirement
Revenue-generating
Confidential data
Number of users

Use these factors to determine the business impact and the risk rating of your applications.

Warning: If you modify the risk rating formula, the Security Risk Rating trend chart changes as of the month when you change the formula.

Procedure

On the Portfolio tab of the Monitor view, click Edit Application Profile Template.
Create an attribute that is called "Exposure" and select the Dropdown type.
Click Edit to open the list of values for the attribute.
Add Internal and set the numeric value to 1.
Add External, set the numeric value to 2, and click Save.
Repeat steps 2-5 to add more attributes that are used in calculations.
Save the application profile template so that the attributes are available to use in formulas.
Reopen the Edit Application Profile Template.
Create an attribute that is called "Calculated Business Impact" and select Formula as the type.
Click Edit to enter the formula: IF(exposure=2,5, IF(exposure=1,2,0))
Save the formula, and then save the application profile template.
Reopen the Edit Application Profile Template.
Edit the Risk Rating formula and replace the two occurrences of businessimpactwith calculatedbusinessimpact and click Save.
Note: You can hide the 'Calculated Business Impact' attribute from the application list but still use it in your formulas by clearing the Enabled check box in the application profile template.
Save the application profile template.
Edit the new Exposure attribute to either Internal or External.

Results

After the system recalculates the risk rating, the result of your new risk rating calculation displays. You can also click Refresh in the application list menu.