⇤ How is the Diligence Risk Category Calculated?
Server Software findings are evaluated based on the supported/unsupported status of an organization’s server software.
We cannot make any special exemptions with regards to the impact of this risk vector if an organization’s business requirements depend on outdated or insecure server software applications. Please contact Bitsight Support if you would like to discuss your Server Software findings.
Concept | Behavior |
---|---|
A default risk vector grade is assigned. |
The use of server software is not required to improve an organization’s cyber security posture. Therefore, there’s no penalty or negative impact to the rating in the absence of Server Software findings. |
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 60 Days There is a grace period of 28 days to allow for validating and updating software packages. See finding behavior. |
Percentage (out of 70.5% in Diligence): 2% |
Finding Grading
Grade | Considerations |
---|---|
GOOD | The software is up-to-date, has been backported, or has the latest security patches. |
FAIR |
The version has been unsupported for less than 4 weeks. There is a grace period of 28 days to allow for validating and updating software packages.
|
WARN | The version has been unsupported for less than 52 weeks. Software that are no longer supported are evaluated as WARN for a grace period of 28 days. After 28 days, WARN becomes BAD. |
BAD |
The version has been unsupported for over 52 weeks. The software is either unsupported or it does not have the latest OS-specific patches applied. These impact an organization’s Server Software risk vector grade and Bitsight Security Rating. |
NEUTRAL |
The software status could not be determined or it is unsupported but still receive security fixes. There’s either not enough information to determine if the software version is supported, not enough information to determine if the latest OS-specific patches are installed, or the software is unsupported, but still receives security fixes. These do not impact the Server Software risk vector grade and remediation is unnecessary. |
Backported Security Fixes
Backports are when software vendors still distribute updates (patches) for old software versions that are technically unsupported or when developers provide patches for third-party software as a courtesy. They essentially duplicate security fixes from supported software versions and port them to the unsupported software.
Example: Ubuntu developers update the Ubuntu version of OpenSSH.
Learn more about backports.
Extended Security Updates
The general support life cycle of some software products are split into two periods – the first half with “mainstream support,” followed by the second half with “extended support.” After the extended support period, “extended security updates (ESU)” might be offered. Extended support and ESU are taken into consideration when determining if software is supported.
This currently applies within the Bitsight platform to Microsoft products. These ESU programs do not include all security fixes and upgrades.
Software with ESU are evaluated in the following manner:
- GOOD: From the date of release to the end date of extended support.
- FAIR: The first and second years of ESU.
- WARN: The third year of ESU.
- BAD: The end date of ESU.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- December 12, 2023: Linked to no findings definition.
- December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section.
Feedback
0 comments
Please sign in to leave a comment.