Monitoring overdue issues

Security analysts can see the number of applications that have overdue issues so that they can quickly calculate which issues or applications are out of compliance. AppScan Enterprise v9.0.3 includes an Overdue formula that can be modified or used as an example for creating complex formulas. If your organization must comply with the Payment Card Industry standard, you can add that to the formula. Or modify the formula so that if an issue is still marked New after 10 days, and it has a high severity, it is automatically overdue.

Before you begin

This is the Overdue formula:
IF(classification=scancoveragefindings,0,IF(status=noise,0,IF(status=passed,0,IF(status=fixed,0,AGE()-IF(severity>10, 3, IF(severity>7.4, 5, IF(severity>5, 7, IF(severity>1.9, 14, 100))))))))
Note: v9.0.3.1 iFix2: In previous versions, the Overdue formula didn't include scan coverage findings in its calculations, and this caused a discrepancy in the numbers that were displayed in the Applications tab and Portfolio tab. As of v9.0.3.1 iFix2, you must edit the Overdue Formula so that it includes scan coverage findings. You must add IF(classification=scancoveragefindings,0, at the beginning of the formula, and add a closing bracket at the very end.
Here's how the Overdue formula breaks down: If the issue status is noise, passed, or fixed, then the issue is not overdue. Otherwise, the formula is "issue AGE - severity mapping".
Table 1. Mapping Severity to Number of days overdue
Severity range Value Number of days overdue
Greater than 10 Critical 3
Greater than 7.4 High 5
Greater than 5 Medium 7
Greater than 1.9 Low 14
Less than 1.9 Information 100

If these suggested resolution times don't fit into your workflow, modify the formula in the Issue Profile Template.

About this task

Upgrade: If you created an Overdue attribute in a previous version of AppScan Enterprise, v9.0.3 appends "_1" to the name and then creates a new Overdue attribute for the formula to use.

Procedure

  1. From the Portfolio view, sort the Overdue column in the application list in descending order, or add an Overdue=YES filter.
  2. Apply filters to fine-tune the list, such as Max Severity=High + Business Impact=Critical Impact.
  3. Select an application and group by Severity.
  4. Now you can select an issue number and get more details, such as when the issue was created. This date indicates by how many days the issue is overdue for being fixed.