
Informed Vulnerability Assessment allows us to improve the state of practice in statically, dynamically, and manually analyze the security of an application by suggesting three ranking system: Rule Ranking, Criticality Ranking and Risk Ranking. It works as follows: - Rule Ranking information could be used to determine which rules are relevant for a given category of application, thus increasing the speed at which static analyzer can execute and produce feedback.
- Criticality Ranking information is used to determine which vulnerabilities detected by static analysis should be dynamically analyzed first,
- Risk Ranking information is used by a security analyst to determine what are the risks likely to be posed by an application of a given category, thus informing the manual inspection process.
The following framework depicts an overview of developing the three ranking system process.
Framework
Rule Ranking (1 dimensional)
Risk Ranking (2 dimensional)
|
|