- August 24, 2023: Added Patching Cadence risk vector.
- August 25, 2022: Added Desktop Software and Mobile Software risk vectors.
- June 22, 2022: Published.
⇤ Risk Remediation Plan: Overview
The RRP supports multiple risk vectors. Each plan provides risk vector-specific details to enable your remediation efforts.
- Patching Cadence
- Web Application Headers
- TLS/SSL Certificates
- TLS/SSL Configurations
- Desktop Software
- Mobile Software
Patching Cadence
The Patching Cadence RRP is generated as a PDF. This PDF lists remediation scenarios, groups vulnerabilities based on severity and duration, and projects the future Patching Cadence grade based on each scenario. This RRP considers a subset of unremediated findings to be fixed to calculate the projected grade; due to the nature of this risk vector, remediated findings continue to impact your grade over time.
The Patching Cadence RRP provides an idea of trajectory and timescale based on different remediation scenarios. Due to the long lifetime period associated with this risk vector, grades improve slowly over time. This RRP can be leveraged to see how remediating the highest-impact Patching Cadence findings today would affect your grade over the next 300 days, assuming all findings in a scenario are remediated and no new findings are observed.
| Column Name | Sub-Column Name | Details |
|---|---|---|
| Scenario | ID | The numerical ID associated with the scenario. |
| Total Findings Remediated Today | The number of findings remediated in the scenario. The first scenario in the report projects what would happen in the future if you don’t remediate any finding; from there, the following scenarios project what would happen if you remediated different groups of findings. The total is cumulative, meaning that each row adds findings to the total. | |
| Group | Findings | The findings considered in the scenario. Each finding is generated based on a vulnerability detected in one of your internet-facing assets. Selecting the number opens the relevant findings in the Findings table. |
| Vulnerability Severity |
The Bitsight severity of the vulnerabilities associated with the findings. Groups are sorted from top to bottom based on severity. Learn more about vulnerability severity. |
|
| Duration (Range for Findings) | The amount of time a vulnerability was seen unpatched. Duration ranges are dynamically defined based on quartiles, meaning each Duration range has a similar number of findings across all vulnerability severities. | |
| Projected Patching Cadence grade in… | 1 day, 30 days, 60 days, etc. | The projected grade improvement timeline if the scenario criteria are met. |
Reference the Knowledge Base articles below for further information on the Patching Cadence risk vector, findings, and remediation.
- Patching Cadence Risk Vector
- How is the Patching Cadence Risk Vector Assessed?
- Patching Cadence Findings
Web Application Headers
Lists issues found in your web application headers. Columns for specific headers indicate whether the header is Missing, Faulty, OK, or not applicable.
This risk vector may include Neutral findings that need to be maintained in order to keep an A; they can’t become Good, but should be prevented from becoming or returning to Bad, Warn, or Fair.
As an example, once a Bad insecure redirect finding is fixed, the Bad finding is squashed by a Neutral one, not a Good one. This Neutral must be maintained to keep an A grade.
| Column Name | Details |
|---|---|
| Grade [Group] | The group of findings that need to be fixed to get from one grade to the next as of the date the RRP was generated. |
| Domain | Domain associated with the finding. |
| Port | Port of the web application finding. |
| Title | Title of the webpage the finding is on. |
| Last Seen Date | Date the finding was most recently observed. |
| Finding Grade | The finding grade (Bad, Warn, Fair, Good, Neutral) as of the date the RRP was generated. |
| Insecure Redirect | If an insecure redirect is present, indicates where. |
| Insecure Authentication | If an insecure authentication is present, indicates where. |
| HTML Resources | If HTML resources are present, indicates the count of external HTML resources. |
| HTML Links | If HTML links are present, indicates the number of record types. |
| Content-Security-Policy | Indicates whether the Content-Security-Policy header is faulty, missing, or OK. This header is required. |
| X-Content-Type-Options | Indicates whether the X-Content-Type-Options header is faulty, missing, or OK. This header is required. |
| Strict-Transport-Security | Indicates whether the Strict-Transport-Security header is faulty, missing, or OK. This header is required. |
| Cache-Control | Indicates whether the Cache-Control header is missing. This header is required. |
| Set-Cookie | Indicates whether the Set-Cookie header is faulty, missing, or OK. This header is optional. |
| X-XSS-Protection | Indicates whether the X-XSS-Protection header is faulty, missing, or OK. This header is optional. |
| X-Frame-Options | Indicates whether the X-Frame-Options header is faulty, missing, or OK. This header is optional. |
Reference the Knowledge Base articles below for further information on the Web Application Headers risk vector, findings, and remediation.
- Web Application Headers Risk Vector
- How is the Web Application Headers Risk Vector Assessed?
- Web Application Header Findings
- Web Application Header Finding Grades
TLS/SSL Certificates
Lists issues found in your TLS/SSL certificates. Potential findings include expired certificates, self-signed certificates, insecure signature algorithms, and large numbers of DNS names.
| Column Name | Details |
|---|---|
| Grade [Group] | The group of findings that need to be fixed to get from one grade to the next as of the date the RRP was generated. |
| Certificate Serial Number | Unique identifier of the specific certificate with issues. |
| Finding Identifier | Domain or IP address and Port combination associated with the finding. |
| Last Seen Date | Date the finding was most recently observed. |
| Finding Grade | The finding grade (Bad, Warn, Fair, Good) as of the date the RRP was generated. |
| Issues | Open issues that affect the finding grade. |
Reference the Knowledge Base articles below for further information on the TLS/SSL Certificates risk vector, findings, and remediation.
- TLS/SSL Certificates Risk Vector
- How is the TLS/SSL Certificates Risk Vector Assessed?
- TLS/SSL Certificate Findings
TLS/SSL Configurations
Lists issues found in your TLS/SSL configurations. Potential findings include insecure protocols, missing or non-standard certificates, and other issues in your TLS/SSL configurations.
| Column Name | Details |
|---|---|
| Grade [Group] | The group of findings that need to be fixed to get from one grade to the next as of the date the RRP was generated. |
| Finding Identifier | Domain or IP address and Port combination associated with the finding. |
| Last Seen Date | Date the finding was most recently observed. |
| Finding Grade | The finding grade (Bad, Warn, Fair, Good) as of the date the RRP was generated. |
| Issues | Open issues that affect the finding grade. |
Reference the Knowledge Base articles below for further information on the TLS/SSL Configurations risk vector, findings, and remediation.
- TLS/SSL Configurations Risk Vector
- How is the TLS/SSL Configurations Risk Vector Assessed?
- TLS/SSL Configuration Findings
Desktop Software
Lists unsupported operating systems and browsers identified on desktop devices in your network that access the Internet. Potential findings include supported or unsupported operating systems and browsers.
| Column Name | Details |
|---|---|
| Grade [Group] | The group of findings that need to be fixed to get from one grade to the next as of the date the RRP was generated. |
| OS/Browser | The operating system and browser associated with the finding, with version numbers. |
| Estimated Users | Estimated number of users with the operating system and browser. |
| First Seen Date | Date the finding was first observed. |
| Last Seen Date | Date the finding was most recently observed. |
| Finding Grade | The finding grade (Bad, Warn, Fair, Good) as of the date the RRP was generated. |
| Details | States whether the operating system and browser are supported or unsupported. |
| Geo Location | The geographical location where the unsupported operating system or browser was observed. |
| Sample IPs | Sample of the hosts detected using the operating system and browser. |
Reference the Knowledge Base articles below for further information on the Desktop Software risk vector, findings, and remediation.
- Desktop Software Risk Vector
- How is the Desktop Software Risk Vector Assessed?
- Desktop Software Findings
Mobile Software
Lists unsupported operating systems and browsers identified on mobile devices in your network that access the Internet. Potential findings include supported and unsupported operating systems and browsers.
| Column Name | Details |
|---|---|
| Grade [Group] | The group of findings that need to be fixed to get from one grade to the next as of the date the RRP was generated. |
| OS/Browser | The operating system and browser associated with the finding, with version numbers. |
| Estimated Users | Estimated number of users with the operating system and browser. |
| First Seen Date | Date the finding was first observed. |
| Last Seen Date | Date the finding was most recently observed. |
| Finding Grade | The finding grade (Bad, Warn, Fair, Good) as of the date the RRP was generated. |
| Details | States whether the operating system and browser are supported or unsupported. |
| Geo Location | The geographical location where the unsupported operating system or browser was observed. |
| Sample IPs | Sample of the hosts detected using the operating system and browser. |
Reference the Knowledge Base articles below for further information on the Mobile Software risk vector, findings, and remediation.