The Risk Remediation supports multiple risk vectors. Each plan provides risk vector-specific details to enable your remediation efforts.
- Patching Cadence
- Web Application Headers
- TLS/SSL Certificates
- TLS/SSL Configurations
- Desktop Software
- Mobile Software
- Web Application Security
Patching Cadence
The Patching Cadence risk remediation plan (RRP) is generated as a PDF. This PDF lists remediation scenarios, groups vulnerabilities based on severity and duration, and projects the future Patching Cadence grade based on each scenario. It considers a subset of unremediated findings to be fixed to calculate the projected grade; due to the nature of this risk vector, remediated findings continue to impact your grade over time.
The Patching Cadence RRP provides an idea of trajectory and timescale based on different remediation scenarios. Due to the long lifetime period associated with this risk vector, grades improve slowly over time. This RRP can be leveraged to see how remediating the highest-impact Patching Cadence findings today would affect your grade over the its lifetime (90 days), assuming all findings in a scenario are remediated and no new findings are observed.
| Column Name | Sub-Column Name | Details |
|---|---|---|
| Scenario | ID | The numerical ID associated with the scenario. |
| Total Findings Remediated Today | The number of findings remediated in the scenario. The first scenario in the report projects what would happen in the future if you don’t remediate any finding; from there, the following scenarios project what would happen if you remediated different groups of findings. The total is cumulative, meaning that each row adds findings to the total. | |
| Group | Findings | The findings considered in the scenario. Each finding is generated based on a vulnerability detected in one of your internet-facing assets. Selecting the number opens the relevant findings in the Findings table. |
| Vulnerability Severity |
The Bitsight severity of the vulnerabilities associated with the findings. Groups are sorted from top to bottom based on severity. Learn more about vulnerability severity. |
|
| Duration (Range for Findings) | The amount of time a vulnerability was seen unpatched. Duration ranges are dynamically defined based on quartiles, meaning each Duration range has a similar number of findings across all vulnerability severities. | |
| Projected Patching Cadence grade in… | 1 day, 30 days, 60 days, etc. | The projected grade improvement timeline if the scenario criteria are met. |
Reference the Knowledge Base articles below for further information on the Patching Cadence risk vector, findings, and remediation.
- Patching Cadence Risk Vector
- How is the Patching Cadence Risk Vector Assessed?
- Patching Cadence Findings
Web Application Headers
Lists issues found in your web application headers. Columns for specific headers indicate whether the header is Missing, Faulty, OK, or not applicable.
This risk vector may include Neutral findings that need to be maintained in order to keep an A; they can’t become Good, but should be prevented from becoming or returning to Bad, Warn, or Fair.
As an example, once a Bad insecure redirect finding is fixed, the Bad finding is squashed by a Neutral one, not a Good one. This Neutral must be maintained to keep an A grade.
Finding Details for Web Application Headers:
- Cache-Control
- Indicates whether the Cache-Control header is missing. This header is required.
- Content-Security-Policy
- Indicates whether the Content-Security-Policy header is faulty, missing, or OK. This header is required.
- [Date] Last Seen Date
- Date the finding was most recently observed.
- Domain
- Domain associated with the finding.
- Finding Grade
- The finding grade (Bad, Warn, Fair, Good, Neutral) as of the date the RRP was generated.
- Grade [Group]
- The group of findings that need to be fixed to get from one grade to the next as of the date the RRP was generated.
- HTML Links
- If HTML links are present, indicates the number of record types.
- HTML Resources
- If HTML resources are present, indicates the count of external HTML resources.
- Insecure Authentication
- If an insecure authentication is present, indicates where.
- Insecure Redirect
- If an insecure redirect is present, indicates where.
- Port
- Port of the web application finding.
- Set-Cookie
- Indicates whether the Set-Cookie header is faulty, missing, or OK. This header is optional.
- Strict-Transport-Security
- Indicates whether the Strict-Transport-Security header is faulty, missing, or OK. This header is required.
- Title
- Title of the webpage the finding is on.
- X-Content-Type-Options
- Indicates whether the X-Content-Type-Options header is faulty, missing, or OK. This header is required.
- X-XSS-Protection
- Indicates whether the X-XSS-Protection header is faulty, missing, or OK. This header is optional.
- X-Frame-Options
- Indicates whether the X-Frame-Options header is faulty, missing, or OK. This header is optional.
Reference the Knowledge Base articles below for further information on the Web Application Headers risk vector, findings, and remediation.
- Web Application Headers Risk Vector
- How is the Web Application Headers Risk Vector Assessed?
- Web Application Header Findings
- Web Application Header Finding Grades
TLS/SSL Certificates
Lists issues found in your TLS/SSL certificates. Potential findings include expired certificates, self-signed certificates, insecure signature algorithms, and large numbers of DNS names.
Finding Details for TLS/SSL Certificates:
- Certificate Serial Number
- Unique identifier of the specific certificate with issues.
- [Date] Last Seen Date
- Date the finding was most recently observed.
- Finding Grade
- The finding grade (Bad, Warn, Fair, Good) as of the date the RRP was generated.
- Finding Identifier
-
The asset (e.g., IP, domain, host, application, port) and its status (e.g. online/offline, version, support status) that identifies the finding.
This is not applicable to TLS/SSL Certificate findings. Refer to the Certificate Serial Number to identify TLS/SSL Certificate findings.
- Grade [Group]
- The group of findings that need to be fixed to get from one grade to the next as of the date the RRP was generated.
- Issues
- Open issues that affect the finding grade.
Reference the Knowledge Base articles below for further information on the TLS/SSL Certificates risk vector, findings, and remediation.
- TLS/SSL Certificates Risk Vector
- How is the TLS/SSL Certificates Risk Vector Assessed?
- TLS/SSL Certificate Findings
- TLS/SSL Finding Remediation & Remediation Verification
TLS/SSL Configurations
Lists issues found in your TLS/SSL configurations. Potential findings include insecure protocols, missing or non-standard certificates, and other issues in your TLS/SSL configurations.
Finding Details for TLS/SSL Certificates:
- [Date] Last Seen Date
- Date the finding was most recently observed.
- Finding Grade
- The finding grade (Bad, Warn, Fair, Good) as of the date the RRP was generated.
- Finding Identifier
- The asset (e.g., IP, domain, host, application, port) and its status (e.g. online/offline, version, support status) that identifies the finding.
- Grade [Group]
- The group of findings that need to be fixed to get from one grade to the next as of the date the RRP was generated.
- Issues
- Open issues that affect the finding grade.
Reference the Knowledge Base articles below for further information on the TLS/SSL Configurations risk vector, findings, and remediation.
- TLS/SSL Configurations Risk Vector
- How is the TLS/SSL Configurations Risk Vector Assessed?
- TLS/SSL Configuration Findings
- TLS/SSL Finding Remediation & Remediation Verification
Desktop Software
Lists unsupported operating systems and browsers identified on desktop devices in your network that access the Internet. Potential findings include supported or unsupported operating systems and browsers.
Finding Details for Desktop Software:
- [Date] First Seen Date
- Date the finding was first observed.
- [Date] Last Seen Date
- Date the finding was most recently observed.
- Details
- States whether the operating system and browser are supported or unsupported.
- Estimated Users
- Estimated number of users with the operating system and browser.
- Finding Grade
- The finding grade (Bad, Warn, Fair, Good) as of the date the RRP was generated.
- Geo Location
- The geographical location where the unsupported operating system or browser was observed.
- Grade [Group]
- The group of findings that need to be fixed to get from one grade to the next as of the date the RRP was generated.
- OS/Browser
- The operating system and browser associated with the finding, with version numbers.
- Sample IPs
- Sample of the hosts detected using the operating system and browser.
Reference the Knowledge Base articles below for further information on the Desktop Software risk vector, findings, and remediation.
- Desktop Software Risk Vector
- How is the Desktop Software Risk Vector Assessed?
- Desktop Software Findings
Mobile Software
Lists unsupported operating systems and browsers identified on mobile devices in your network that access the Internet. Potential findings include supported and unsupported operating systems and browsers.
Finding Details for Mobile Software:
- [Date] First Seen Date
- Date the finding was first observed.
- [Date] Last Seen Date
- Date the finding was most recently observed.
- Details
- States whether the operating system and browser are supported or unsupported.
- Estimated Users
- Estimated number of users with the operating system and browser.
- Finding Grade
- The finding grade (Bad, Warn, Fair, Good) as of the date the RRP was generated.
- Geo Location
- The geographical location where the unsupported operating system or browser was observed.
- Grade [Group]
- The group of findings that need to be fixed to get from one grade to the next as of the date the RRP was generated.
- OS/Browser
- The operating system and browser associated with the finding, with version numbers.
- Sample IPs
- Sample of the hosts detected using the operating system and browser.
Reference the Knowledge Base articles below for further information on the Mobile Software risk vector, findings, and remediation.
- Mobile Software Risk Vector
- How is the Mobile Software Risk Vector Assessed?
- Mobile Software Findings
Web Application Security
The details include the data in findings, Diligence details, and also the following information:
- [Date] First Seen Date
- Date the finding was first observed.
- [Date] Last Seen Date
- Date the finding was most recently observed.
- Evidence Key
- Asset (domain:port) associated with the finding to remediate.
- Failed Evidence Count
- The amount of failed evidence associated with the finding.
- Finding Grade
- The finding grade (Bad, Warn, Fair, Neutral, Good) as of the date the RRP was generated.
- Total Evidence Count
- The total amount of evidence associated with the finding.
- Web App Security Test
- Name of the web application security test.
- April 8, 2025: Risk Remediation Plan available for Web Application Security.
- July 10, 2024: The Patching Cadence lifetime is 90 days.
- May 29, 2024: Certificate Serial Number replaces Finding Identifier as the TLS/SSL Certificates finding identifier.
Feedback
0 comments
Please sign in to leave a comment.