A
- Add ons: What add ons does Phoenix Security offer?
- Phoenix Security comes with a bundle of services, with the option to pay for additional services separately:
Dark web monitoring for your account
Dark web monitoring for your identities
3rd party supply chain posture
External attack surface scans and posture monitoring
Cyber threat intelligence premium and enterprise
Professional DevSecOps and configuration services to best help you configure the application and fine tune it
- Applications: How do I configure the application?
- Application configuration and scanner configuration are available at kb.phoenix.security
- Asset: What is an Asset?
- An asset is the thing that contains the vulnerability.
That could be infrastructure like a VM, a piece of code like a repo or file, a build artifact, a cloud service, or a container image.
Assets are what we’re protecting — and findings are how vulnerabilities show up on them.
C
- Common terms: What are web vulnerabilities?
- A website vulnerability is a weakness or misconfiguration in a website or web application code that allows an attacker to gain some level of control of the site, and possibly the host server. Most vulnerabilities are exploited through automated means, such as vulnerability scanners and botnets.Most Common Website Security Vulnerabilities
SQL Injections. …
Cross Site Scripting (XSS) …
Broken Authentication & Session Management. …
Insecure Direct Object References. …
Security Misconfiguration. …
Cross-Site Request Forgery (CSRF)
- Common terms: What is SAST?
- Static application security testing (SAST), or static analysis, is a testing methodology that analyzes source code to find security vulnerabilities that make your organization’s applications susceptible to attack. SAST scans an application before the code is compiled. It’s also known as white box testing.
- Common terms: What is SCA?
- SCA, a term coined by market analysts, describes an automated process to identify open source components in a codebase. Once a component is identified, it becomes possible to map that component to known security disclosures and determine whether multiple versions are present within an application. SCA also helps identify whether the age of the component might present maintenance issues. While not strictly a security consideration, SCA also facilitates legal compliance related to those open source components.
- Criticality levels: What are high, medium and low vulnerabilities?
- CVSS is an industry standard vulnerability metric. You can learn more about CVSS at FIRST.org.
Critical
High
Medium
Low
Below are a few examples of vulnerabilities that may result in a given severity level. Please keep in mind that this rating does not take into account details of your installation and are to be used as a guide only.
Severity Level: Critical
Vulnerabilities that score in the critical range usually have most of the following characteristics:
Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
For critical vulnerabilities, it is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, a mitigating factor could be if your installation is not accessible from the Internet.
Severity Level: High
Vulnerabilities that score in the high range usually have some of the following characteristics:
The vulnerability is difficult to exploit.
Exploitation could result in elevated privileges.
Exploitation could result in a significant data loss or downtime.
Severity Level: Medium
Vulnerabilities that score in the medium range usually have some of the following characteristics:
Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
Denial of service vulnerabilities that are difficult to set up.
Exploits that require an attacker to reside on the same local network as the victim.
Vulnerabilities where exploitation provides only very limited access.
Vulnerabilities that require user privileges for successful exploitation.
Severity Level: Low
Vulnerabilities in the low range typically have very little impact on an organization’s business. Exploitation of such vulnerabilities usually requires local or physical system access.
D
- Data: What data does Phoenix Security process?
- Phoenix Security connects to your security scanners to retrieve vulnerability data.
Phoenix Security enriches the data with threat intel locality and offers a single asset register across Cloud, Container, software, infrastructure and applications.
Phoenix Security also offers scanning packages for web, API, SCA and Cloud.
Phoenix Security looks at every area of the system such as web facing app risk, software composition, code vulnerabilities, Cloud vulnerabilities, dark web exposure, and 3rd Party supply chain vulnerabilities.
F
- Findings: What is a finding?
- Now, a finding is how that vulnerability shows up in a specific place.
Think of a finding as the instance of a vulnerability — where it actually exists in your environment.
That might be a specific line of code, a library, a container image, a running service, or even a cloud asset.
One vulnerability can have many findings, across different systems.
And depending on where a finding is — and how exposed it is — the risk level can change significantly.
M
- Monetisation: How are the application and environment values calculated?
- Phoenix Security allows you to specify your annualised value and divide it by the number of business applications that you run or specify the value an application generates annually.
- Monetisation: How do I calculate the amount of damage an attacker can affect me with?
- Phoenix Security does that for you. We apply FAIR principles to derive the direct damage (current damage you could incur if an attacks happens and brings down your application or renders it unavailable) and indirect damage (remaining value of the application plus financial damage derived by brand damage, cost of the record sold on dark web, financial damage derived from Finex (e.g. GDPR).
P
- Payment: Can we modify the payment terms?
- Under special circumstances Phoenix Security allows different payment methods and terms. Please get in touch with us so we can identify and discuss the best-fit solution for your business.
- Payment: How can we pay for Phoenix Security?
- AppSec Phoenix allows payments with invoices. AppSec Phoenix allows recurring invoices to be paid monthly with a minimum annual commitment.
- Payments: Can we pay monthly?
- Startups have the option to pay monthly on the professional plan, providing the qualification terms are met.
R
- Risk types: What is risk magnitude and relative risk magnitude?
- The total risk magnitude is the compounded risk of all findings within your organisation(the sum of all the risk values for every finding). For teams, the risk magnitude represents the sum of the risk of all findings assigned to that team, allowing comparison between which teams have the highest total risk and so demand attention. The relative risk magnitude is the risk magnitude divided by the number of assets within your organisation or team. This is particularly useful for comparison of the relative risk between teams, as a specific team may have the highest risk magnitude but a low relative risk magnitude, indicating that they are assigned to significantly more assets. This allows you to conclude that they may not be a team of concern, as the high risk magnitude is caused by a high number of assets and not a large number of criticals that need to be fixed, which would be indicated if the relative risk magnitude were also much higher than other teams.
- Risk types: What is the Threshold or Risk Appetite or Risk Tolerance?
- The term Risk Appetite is the same as Risk tolerance or Risk Threshold. This refers to the Organisational Threshold or the minimum value the global Risk Tolerance level needs to reach to raise the overall risk level for your organisation to critical.
S
- Scanners: How does Phoenix Security integrate scanners?
- Scanners are used in cybersecurity to detect vulnerable versions of a system’s software that is at risk of being exploited by attackers. Phoenix Security integrates a wide range of scanners such as Acunetix, Dome9/CloudGuard, Fortify Scanner, Netsparker, SNYK just to name a few. These scanners look at every area of the system such as Web Facing App Risk, Software composition, Code vulnerabilities, Cloud vulnerabilities, Dark web exposure, and 3rd Party Supply Chain vulnerabilities. The Phoenix Security scanners enable an accurate look at a company’s risk and using this pivotal knowledge, facilitate the necessary steps to be taken to fix the vulnerabilities and get everything back in shape.
- Setup: How do I calculate how many assets I have?
- The Phoenix Security team can help you calculate the assets required with free, unlimited asset assessment. By the end of the assessment, you’ll know how many assets you require.
- Setup: How do I set the threshold?
- You will be able to place a threshold in the dashboard. As you interact with the visual data, you will be given an option to set your threshold in each of the graphs (such as in the risk progression line graph etc.) With your newly appointed threshold, you will be able to see if your application falls above or below that threshold, as well as identifying where the problem areas are that are keeping that application above the threshold.
T
- Targets: What are targets?
- A target is a subdivision of the surface or scope covered by the scanner. Depending on the type of scanner, a target could be a cloud account, website, code repository, individual virtual machine, or an artificial construct defined by the scanner (like an “application” or “project”) etc. Within Phoenix, targets are defined so that the list of targets covers the entire scope of the scanner; two targets won’t cover the same entities (they don’t overlap).
- Threshold: What does ‘override the threshold’ mean?
- As you place your initial threshold and view the progression of the application’s risk over time, you will be able to adjust (override) the previous threshold to reflect any new changes in the company. Perhaps the new industry threshold is lower now.
- Tickets: What are Tickets?
- They are used to track workflow. Once created for a vulnerability, a ticket will automatically be added to any workflow account linked to the applications/environments associated with that vulnerability.
V
- Vulnerabilities: What are vulnerabilities?
- We define a vulnerability as any kind of security issue that introduces risk.
That could be a CVE, a misconfiguration, a cloud identity flaw, a result from threat modelling or a pentest, a CWE, a hardcoded secret, or even a license violation.
