Environment definition view

Environment definition is not essential, but enables AppScan® to safely refrain from sending non-relevant tests during the scan, resulting in a faster and more accurate scan. Customizing CVSS 3.1 environmental scores will improve the accuracy of your scan results.

Note: Where relevant, some of the list boxes allow you to select more than one option by pressing the Ctrl key when selecting items in a list.

Metric

Comments

Operating System

Operating System of application being scanned.

Web Server

Select all applicable answers. To select more than one option use [Ctrl] + Click.

Application Server (if any)

Select all applicable answers. To select more than one option use [Ctrl] + Click.

Type of Database (if any)

Select all applicable answers. To select more than one option use [Ctrl] + Click.

Third-Party Component (if any)

Select all applicable answers. To select more than one option use [Ctrl] + Click.

Location of Site

Whether the site is remote or local.

Type of Site

Whether it is a test site or a live production site.

Deployment Method

Whether the site is deployed internally (private site), or externally (on the Internet).

CVSS 3.1 environmental scores

CVSS (Common Vulnerability Scoring System) Version 3.1 assigns severity values to issues found, based on Base, Temporal and Environmental scoring.

CVSS uses default metrics for environmental scoring, but you can define the relative importance of the specific metrics in your application environment. AppScan® will take the customized definitions into account when assigning severity values to issues found.
Note: In AppScan Standard 10.2.0, the version of CVSS scoring used was updated to CVSS 3.1. If you load a scan created in an earlier version than 10.2.0, AppScan will offer to update the results to reflect CVSS 3.1 scoring, or else some actions on the file will be limited.

For more details about CVSS 3.1 scoring, refer to:

Common Vulnerability Scoring System Version 3.1 Calculator

Metric

Values

Confidentiality Requirement (CR)

Not defined, Low, Medium, High

Integrity Requirement (IR)

Not defined, Low, Medium, High

Availability Requirement

Not defined, Low, Medium, High

Modified Attack Vector (MAV)

Not defined, Network, Adjacent network, Local, Physical

Modified Attack Complexity (MAC)

Not defined, Low, High

Modified Privileges Required (MPR)

Not defined, None, Low, High

Modified User Interaction (MUI)

Not defined, None, Required

Modified Scope (MS)

Not defined, Unchanged, Changed

Modified Confidentiality (MC)

Not defined, Low, High

Modified Integrity (MI)

Not defined, Low, High

Modified Availability (MA)

Not defined, Low, High

See also:

Issue severity levels