Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

OS & Browser Version Evaluation

Ingrid

A finding grade is derived for the Desktop Software and Mobile Software risk vectors based on the grade attributed to each OS and browser version.

The OS and browsers are evaluated based on their supported status:

  • GOOD: The version is supported.
  • FAIR: The version has been unsupported for less than 4 weeks.
  • WARN: The version has been unsupported for less than 52 weeks.
  • BAD: The version has been unsupported for over 52 weeks.

Versions that are undetermined or unknown default to the following evaluations:

  • ❗Undetermined: Either there’s no version available, the finding cannot be identified, or both the OS and browser are unknown. The finding is evaluated as NEUTRAL.
  • ❓Unknown: When either the OS or browser has been evaluated and the other is unknown. The finding is graded as the available grade.

The calculation is depicted in the following table:

OS & Browser Support Status Matrix Browser Grade
Supported
GOOD 		Unsupported
< 4 weeks
FAIR 		Unsupported
< 52 weeks
WARN 		Unsupported
> 52 weeks
BAD 		❗Undetermined
❓Unknown
OS Grade Supported
GOOD 		GOOD FAIR WARN BAD GOOD
Unsupported
< 4 weeks
FAIR 		FAIR FAIR WARN BAD FAIR
Unsupported
< 52 weeks
WARN 		WARN WARN WARN BAD WARN
Unsupported
> 52 weeks
BAD 		BAD BAD BAD BAD BAD
❗Undetermined
❓Unknown		 GOOD FAIR WARN BAD NEUTRAL
  • July 18, 2023: Published.

Related articles

Feedback

2 comments

Date Votes
  • Laurent TAUPIAC

    Hello Ingrid 

    I am currently working on updating the browser management process. I have reviewed this article which outlines clear formulas for the Fair, Warn, and BAD ranges. However, when I examine the Excel files available on your website, these formulas do not appear to be functioning as expected. The Excel sheets seem to rely on the concept of EOL, which is defined as the gap between the release dates of two consecutive versions plus 7 days.

    Our goal is to automate the identification of devices with outdated browser packages. To achieve this, I need to be able to categorize each version of the browser in order to update the packages before BitSight reports a Warn or a BAD status.

    I have a few questions:
    1. Can a BitSight API provide the information equivalent to what is contained in your Excel file?
    2. If not, is there a fixed link to an Excel file that can be automatically accessed and loaded when it is updated?
    3. Additionally, is any documentation available that explains how BitSight calculates the different ranges (Fair, Warn, BAD)?

    Regards,

        Laurent

    0
  • Ingrid

    Hello Laurent,

    Are you referring to the endpoint OS-browser versions sheet? I will forward your query to Product Management and Data Research.

    As for your third question, finding grading is outlined in How is the Desktop Software Risk Vector Assessed? and How is the Mobile Software Risk Vector Assessed?

    0

Please sign in to leave a comment.