Reputation: 751
How does Fortify calculates the "estimated remediation effort" score?
How does fortify calculates the estimated remediation effort score?
In the page 129 of this document, the product manual says what the score is, what it means, but it does not provide any clue on how it's calculated.
Upvotes: 0
Views: 75
Answers (1)
Reputation: 1
"Estimated Remediation Effort" score is a metric to provide developers and security analysts with an approximation of the time and effort required to address and remediate a security finding or vulnerability identified by the tool.
You can use general principles to calculate it:
- Severity of the Vulnerability
- Type of Vulnerability: Different types of vulnerabilities (e.g., XSS, SQLi) have varying complexities. Some might require simple code changes, while others might necessitate a redesign of certain components or data flow.
- Location in Code: Vulnerabilities located in critical system components or in areas of the code that are complex and tightly coupled with other functionalities might be marked as requiring more effort to remediate due to the risk of introducing bugs.
Fortify probably uses a database of historical data or defined estimates to assign an initial time required for various vulnerabilities.
Systems improve their estimates by feedback from users on the accuracy of previous estimates and historical data on actual remediation times.
Upvotes: 0