How Does Qualys Risk Rank Web Application Vulnerabilities?

Discussion created by fmc on Nov 18, 2014

Thank you to Boyd White for his hard work getting this all together.




How Does Qualys Risk Rank Web Application Vulnerabilities?


Every web application Qualys Identifier (QID) is assigned a Qualys severity or information level, which is determined by the security risk based on collaboration by our vulnerability signatures team. Vulnerabilities are additionally generally assigned a common vulnerability scoring system (CVSS) score. Some findings do not have a CVSS score because the scoring mechanism is not appropriate or not enough information was available at time of signature creation for a CVSS score to be generated. For example: links crawled or authentication failed are not a security concern per se, but may be useful for administrators.


This CVSS score is generally calculated using Mitre's calculator. Mitre's algorithm is based on exploitability metrics as well as impact metrics. In situations where multiple vendors have reported the same type of vulnerability (e.g. XSS) the Mitre calculator will not be used directly, but the CVSS scores are weighted by prevalence and averaged together by the vulnerability signatures team. Because XSS may be found in many different locations and in many different contexts, this is the current industry standard practice. Similar types of vulnerabilities (e.g. XSS) should have similar CVSS scores.


Qualys' rating system uses a subjective system that relies on years of our vulnerability team's signature development expertise and decision collaboration which is then configured, approved by the vulnerability signature team manager, and released in the Qualys KnowledgeBase. The team takes into account the complexity of the exploit, likelihood of the exploit to work under normal conditions, network locations and privileges needed by an attacker to execute a successful attack. In addition, prevalence of the affected attack vector and existence of known attacks, worms, or malware may also factor into the rating decision. Further, additional information available after the QID is published may cause a follow-up re-assessment.


Some clients use the OWASP top 10 instead as a guide for their risk ranking. As of this writing, the OWASP guide is available at OWASP risk ranking is maintained outside of Qualys, but is an industry practice to review and consider application threats. Focusing on these vulnerabilities is often used in tandem or in lieu of a CVSS or Qualys score methodology.


How Does CVSS Compare to Qualys Risk Ranking System?


There is no one to one comparison between these two systems as they are developed with different mechanisms. CVSS scores where possible are released by the vendor, but in the case of web application vulnerabilities, they are determined by the vulnerability signatures team as described above.


How Do CVSS Ratings in WAS Apply to WAS Requirements in PCI DSS?


In short, CVSS ratings in WAS do not directly apply to the web application requirements in the DSS. There are several requirements for web applications in the PCI DSS, but as of PCI DSS version 3, there are no CVSS requirements which are built into the standard. If your organization uses CVSS as a benchmark for performing remediation, then your policy must likely be followed in order to become compliant.