⇤ How is the Diligence Risk Category Calculated?
Mobile Application Security evaluates an organization’s mobile application offerings in Android and iOS app stores (assets) to find security risks that can compromise end-users’ devices and networks (findings).
This risk vector does not currently affect security ratings. It is being evaluated for a period before being factored into security ratings.
Concept | Behavior |
---|---|
Assessment results depending on the action taken during testing. |
Result: Pass/Fail Assessment is immediate. If a new app version is available, the new version replaces all assessments related to the previous one. If an assessment for a specific version is improved, it also replaces the associated finding. |
A default risk vector grade is assigned. |
Not all organizations have mobile application offerings. This default grade is assigned if the organization has not published any mobile applications (no assets). |
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 1 year, with no decay period. Unless updated, all findings have the same impact throughout their lifetime. Their impact is fully removed when updated or after 1 year. If an app is removed from all app stores or updated to a software version that is not supported (and therefore cannot be scanned), its impact is fully removed. The following software versions are supported:
|
Percentage (out of 70.5% in Diligence): Not Applicable |
Criteria
If a third party developer is involved, please contact Bitsight Support to learn more about Total Risk Monitoring with the Bitsight Security Ratings Platform.
Methodology
Mobile apps are not assigned finding grades (GOOD, FAIR, WARN, BAD, etc.). The numerical app grade is indicative of the app’s overall vulnerability to security issues. Although it’s derived directly from the CVSS values of vulnerabilities found in an app and evaluated on a scale from 0.0 to 10.0, the app grade is not a CVSS value.
Assets are subjected to static and dynamic analysis to evaluate specific types of problems, like how the application handles sensitive data, interaction vulnerabilities, and API security and determine the severity of security vulnerabilities (presented as the findings).
Finding Severity
The evaluation method for tested security vulnerabilities is based on the Common Vulnerability Scoring System (CVSS). The assigned value (of 0.1 to 10.0) is indicative of the severity of each vulnerability.
A number of informational vulnerabilities are also tested. However, these informational vulnerabilities do not negatively impact the rating.
CVSS | Passed Test Finding Severity | Failed Test Finding Severity |
---|---|---|
0.0 | Informational | Informational |
0.1 - 3.9 | Minor | Minor |
4.0 - 6.9 | Minor | Moderate |
7.0 - 8.9 | Minor | Material |
9.0 - 10.0 | Minor | Severe |
App Grade Calculation Based on Security Tests
Each individual finding in a mobile app is quantified using the Common Vulnerability Scoring System (CVSS). CVSS is a ten-point scale, spanning 0.0 to 10.0 in increments of 0.1. A CVSS value of 0.0 indicates findings that are informational in nature.
The active sum contribution of individual apps is calculated as an app score (α) based on the failure of security tests (τ):
The app grade (γ) is calculated as:
Risk Vector Grade Calculation Based on the Individual App Grade
To calculate the risk vector grade, first, calculate the mean AppGrade (ᾱ) based on the individual AppGrades.
The second step is to calculate a pre risk vector score 𝑥 based on ᾱ using the following formula:
Lastly, the risk vector grade is determined mapping 𝑥 to the grade using the following table:
Range of App Grades Average | Risk Vector Grade |
---|---|
0 ≤ 𝑥 < 2.4 | A |
2.4 ≤ 𝑥 < 4.0 | B |
4.0 ≤ 𝑥 < 5.7 | C |
5.7 ≤ 𝑥 < 7.0 | D |
7.0 ≤ 𝑥 < 10 | F |
No applications. | N/A |
- June 6, 2024: Updated language re: apps that are removed from all app stores or unable to be scanned.
- March 25, 2024: “No findings/low findings” changed to “insufficient data.”
- January 10, 2024: Mobile Application Security refresh from 10 days to 6-11 days.
Feedback
0 comments
Please sign in to leave a comment.