Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Server Software Risk Vector

Ingrid

⇤ Diligence Risk Category

The Server Software risk vector tracks security problems introduced by software that are no longer supported. Supported software gets attention from the development team and vendor, so they can address bugs and vulnerabilities that are discovered.

This data can be used to create a rich picture about the software used by an organization, making it simple to maintain a robust, up-to-date array of server software applications in an organization’s IT infrastructure.

Learn more:

Risks

  • Leaves bugs and vulnerabilities unpatched.
  • Exposes organizations to software bugs that can be exploited by attackers and may disrupt business continuity.

Grading

See how the Server Software risk vector is graded.

Concept Behavior

Lifetime

Duration: 60 Days

Insufficient Data

A default risk vector grade is assigned.

Default:

The use of server software is not required to improve an organization’s cyber security posture. Therefore, there’s no penalty or negative impact to the rating in the absence of Server Software findings.

Weight

Percentage (out of 70.5% in Diligence): 2%

Remediation

Resources

Recommendations

  • Identify out-of-date server software installations and update them.
  • Ensure the organization has critical server software set to auto-update, if applicable, and if some of the organization’s production applications depend on certain unsupported versions, their software development teams will need to integrate the newer versions into their code base.
  • Consult your operating system vendors’ software repositories and release notes for more information on supported server software for your organization.

Finding Behavior

Concept Behavior

Data:

How often the Bitsight platform is updated with the current security landscape.

Monthly – Software support details are updated on a monthly basis.

Rescan

The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan Duration: 8 Days

User-Requested Rescan Duration: 2-3 Days
Remediated

A new finding is created and the old one needs to complete its lifetime.

The rescan status of the old finding becomes Asset Not Found.

  • New findings immediately impact the grade.
  • Updated findings won’t necessarily improve the grade.
  • All BAD and WARN findings will stop impacting the grade after the last observation, as it completes its lifetime (60 days).
  • There is a grace period of 28 days to allow for validating and updating software packages.
  • March 25, 2024: “No findings/low findings” changed to “insufficient data.”
  • November 10, 2023: Linked to finding messages.
  • August 16, 2023: New Grading & Finding Behavior sections.

Related articles

Feedback

0 comments

Please sign in to leave a comment.