How is the Server Software Risk Vector Assessed?

Server Software contributes to how the Diligence risk category is calculated. Findings are evaluated based on the supported/unsupported status of an organization’s server software.

• Finding Grading
  • Extended Security Updates
  • Backported Security Fixes
• Finding Messages

We cannot make any special exemptions with regards to the impact of this risk vector if an organization’s business requirements depend on outdated or insecure server software applications. Please contact Bitsight Support if you would like to discuss your Server Software findings.

Server Software Concepts

Insufficient Data

A default risk vector grade is assigned if there is insufficient or no data.

Default:

Behavior: The use of server software is not required to improve an organization’s cyber security posture. Therefore, there’s no penalty or negative impact to the rating in the absence of Server Software findings.

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Duration: 60 Days

Behavior: There is a grace period of 28 days to allow for validating and updating software packages. See finding behavior.

Weight

The Server Software risk vector contributes to the weight of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: 2%

Finding Grading

GOOD

The software is up-to-date, has been backported, or has the latest security patches.

FAIR

The version has been unsupported for less than 4 weeks. FAIR findings for this risk vector do not have an impact on the rating.

There is a grace period of 28 days to allow for validating and updating software packages.

• During the grace period, findings have a FAIR grade.
• Findings observed after the end of the grace period and less than 365 days after the end of support have a WARN grade.

WARN

The version has been unsupported for less than 52 weeks. Software that are no longer supported are evaluated as WARN for a grace period of 28 days. After 28 days, WARN becomes BAD.

BAD

The version has been unsupported for over 52 weeks. The software is either unsupported or it does not have the latest OS-specific patches applied.

These impact an organization’s Server Software risk vector grade and Bitsight Security Rating.

NEUTRAL

The software status could not be determined or it is unsupported but still receive security fixes. There’s either not enough information to determine if the software version is supported, not enough information to determine if the latest OS-specific patches are installed, or the software is unsupported, but still receives security fixes.

These do not impact the Server Software risk vector grade and remediation is unnecessary.

Backported Security Fixes

Backports are when software vendors still distribute updates (patches) for old software versions that are technically unsupported or when developers provide patches for third-party software as a courtesy. They essentially duplicate security fixes from supported software versions and port them to the unsupported software.

Example: Ubuntu developers update the Ubuntu version of OpenSSH.

Learn more about backports.

Extended Security Updates

The general support life cycle of some software products are split into two periods – the first half with “mainstream support,” followed by the second half with “extended support.” After the extended support period, “extended security updates (ESU)” might be offered. Extended support and ESU are taken into consideration when determining if software is supported.

Software with ESU are evaluated in the following manner:

• GOOD: From the date of release to the end date of extended support.
• FAIR: The first and second years of ESU.
• WARN: The third year of ESU.
• BAD: The end date of ESU.