Jump to main content
HCL Logo Help Center
HCL TECHNOLOGIES ABOUT US PRODUCTS & SOLUTIONS RESOURCES CONTACT US
AppScan Enterprise Server
  • Welcome
  • Accessibility features for AppScan® Enterprise
  • Overview
  • Installing
  • Upgrading and migrating
  • Integrating
  • Best practices
  • Configuring
  • Administering
  • Managing application risk
  • Troubleshooting and support
  • REST API
  • Reference
  • Glossary
  1. Home
  2. Managing application risk

    Follow this workflow to manage application security risks in your organization.

  3. Step 3: Determining risks and prioritizing vulnerabilities

    Learn how to determine risks and prioritize vulnerabilities identified in an application.

  4. Determining risk

    Now that management and security analysts have a comprehensive view of the applications across the enterprise, it's time to get a complete picture of the application security risk. Use formulas to create rules for automated application asset classification. The automated calculation of an application security risk rating is based on the application's description and discovered vulnerabilities.

  5. Determining issue severity

    Security analysts can use CVSS scores to determine issue severity and prioritize vulnerability fixes for their organization.

  • Managing application risk

    Follow this workflow to manage application security risks in your organization.

    • Step 1: Creating an application inventory

      Learn how to create an application inventory.

    • Step 2: Testing applications for vulnerabilities

      Learn how to test vulnerabilities identified in an application.

    • Step 3: Determining risks and prioritizing vulnerabilities

      Learn how to determine risks and prioritize vulnerabilities identified in an application.

      • Determining risk

        Now that management and security analysts have a comprehensive view of the applications across the enterprise, it's time to get a complete picture of the application security risk. Use formulas to create rules for automated application asset classification. The automated calculation of an application security risk rating is based on the application's description and discovered vulnerabilities.

        • Formula components

          Product administrators can use any of the following components in your attribute formulas.

        • Examples of Functions

          These functions are used in the attribute formulas.

        • Built-in Formulas

          Use built-in formulas as a starting point to create or customize your own formulas.

        • Customizing the risk rating formula

          The risk rating formula is the most important attribute that you use to describe your applications. Use this example to customize the built-in risk rating. In this example, the business impact is calculated automatically, based on different application attributes.

        • Creating attributes with formulas

          Create and edit attributes that contain formulas to calculate the risk ratings for applications or to display issue information in application summaries. Delete formula attributes that are no longer relevant.

        • Modifying formulas

          You can modify AppScan Enterprise's built-in formulas to customize them for your business needs. For example, the Open Issues formula includes new, open, and reopened issues in its calculations. That might not fit with your requirements, so you can modify it to only include open and reopened issues.

        • Determining issue severity

          Security analysts can use CVSS scores to determine issue severity and prioritize vulnerability fixes for their organization.

          • CVSS scores

            The CVSS score reflects the overall security impact of a vulnerability, and is a composite score that reflects the metrics in three distinct categories: Base, Temporal, and Environmental.

          • How issue severity is determined

            AppScan® Enterprise determines issue severity by using a Severity formula or by using a 'Severity Value' issue attribute.

          • Changing the severity of an issue by modifying its CVSS score

            Changing issue severity is done on an issue by issue basis so that you analyze each vulnerability as it relates to your business risk. During issue triage, you can change the severity of an issue by manually overriding the precalculated CVSS score with the severity value so that you can prioritize its severity relative to other issues. Modifying the severity helps you convey an issue's criticality to development and management so that the more critical vulnerabilities are fixed first.

      • Prioritizing Vulnerabilities

        Learn how to prioritize vulnerabilities identified in an application.

    • Step 4: Remediating risks

      Learn how to remediate risks identified in an application.

    • Step 5: Measuring progress and demonstrating compliance

      Learn how to measure progress and demonstrate compliance.

Determining issue severity

Security analysts can use CVSS scores to determine issue severity and prioritize vulnerability fixes for their organization.

watch youtube video: Working with CVSS in AppScan Enterprise: the Security Champion's perspective

© Copyright HCL Technologies Limited 2001, 2019 / About HCL Software / Acquisition FAQ / Government - US Federal / Welcome / Contact Us