- September 11, 2023: Separated finding messages.
- April 19, 2023: 2023 RAU risk category weight adjustment.
- June 2, 2022: The frequency of refreshing software status data.
⇤ How is the Diligence Risk Category Calculated?
Server Software findings are evaluated based on the supported/unsupported status of an organization’s server software.
We cannot make any special exemptions with regards to the impact of this risk vector if an organization’s business requirements depend on outdated or insecure server software applications. Please contact Bitsight Support if you would like to discuss your Server Software findings.
| Field | Description | Details & Values | |
|---|---|---|---|
| Lifetime | The number of days a finding will impact the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. | 60 Days | |
| No Findings | The letter grade if there are no findings for this risk vector. |
The use of server software is not required to improve an organization’s cyber security posture. Therefore, there’s no penalty or negative impact to the rating in the absence of Server Software findings. |
|
| Refresh | The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated. | ||
| Automated Scan Duration | The duration of a regularly scheduled finding refresh, as the Bitsight platform checks for new observations. | 8 Days | |
| Data | How often the Bitsight platform is updated with the current security landscape. | The Bitsight platform is updated with software support details on a monthly basis. | |
| User-Requested Refresh Duration | The duration of a user-requested refresh, which initiates a refresh of eligible findings upon request. This is recommended when a change in the finding is expected, such as when a finding has been remediated. | 2-3 Days | |
| Grace Period | The time before a recognized finding starts to impact ratings. |
|
|
| Weight | Out of 70.5% in Diligence. | 2% | |
Finding Grading
| Grade | Considerations |
|---|---|
| GOOD | The software is up-to-date, has been backported, or has the latest security patches. |
| FAIR | The version has been unsupported for less than 4 weeks. |
| WARN | The version has been unsupported for less than 52 weeks. Software that are no longer supported are evaluated as WARN for a grace period of 28 days. After 28 days, WARN becomes BAD. |
| BAD |
The version has been unsupported for over 52 weeks. The software is either unsupported or it does not have the latest OS-specific patches applied. These impact an organization’s Server Software risk vector grade and Bitsight Security Rating. |
| NEUTRAL |
The software status could not be determined or it is unsupported but still receive security fixes. There’s either not enough information to determine if the software version is supported, not enough information to determine if the latest OS-specific patches are installed, or the software is unsupported, but still receives security fixes. These do not impact the Server Software risk vector grade and remediation is unnecessary. |
Backported Security Fixes
Backports are when software vendors still distribute updates (patches) for old software versions that are technically unsupported or when developers provide patches for third-party software as a courtesy. They essentially duplicate security fixes from supported software versions and port them to the unsupported software.
Example: Ubuntu developers update the Ubuntu version of OpenSSH.
Learn more about backports.
Extended Security Updates
The general support life cycle of some software products are split into two periods – the first half with “mainstream support,” followed by the second half with “extended support.” After the extended support period, “extended security updates (ESU)” might be offered. Extended support and ESU are taken into consideration when determining if software is supported.
This currently applies within the Bitsight platform to Microsoft products. These ESU programs do not include all security fixes and upgrades.
Software with ESU are evaluated in the following manner:
- GOOD: From the date of release to the end date of extended support.
- FAIR: The first and second years of ESU.
- WARN: The third year of ESU.
- BAD: The end date of ESU.