Versions Compared

Old Version 7

changes.mady.by.user Daniel Colon

Saved on

compared with

New Version Current

changes.mady.by.user Daniel Colon

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Image Added

📙 You will learn

How to map severity types and user customized text to vulnerabilities.

Prerequisites

Audience: IT Professional or End User
Difficulty: Basic
Time needed: Approximately 5 minutes
Tools required: N/A

Users can configure severities for CWE types, such as "all XSS vulnerabilities are now Critical." Users can also configure custom remediation text for a CWE that will be included in any defects submitted for that vulnerability.

Severity Mappings

Severity Mappings in ThreadFix give the administrator the ability to remap vulnerabilities to standard CWE types.

  1. First, click on the Application menu from the Navigation sidebar and click on the Customize submenu. Click on ThreadFix Vulnerability Types and from the Severity Mappings tab click on the Create New Mapping

button to the left

  1.  button. This brings up a modal dialog for the mapping.

    Image Added

  2. Start typing, for example, "CSRF" into

the

  1. the Source Vulnerability Type

field

  1.  field and

you will see

  1. a dropdown with CWE types that match

your

  1. the text will appear, as seen below.

Image Removed
  1. Image Added

  2. In

the

  1. the Target Severity Type

field

  1.  field,

you

  1. users will see the severity types for applications available to apply to the chosen vulnerability, High, Low, Medium, Critical, Info

and

  1.  and Ignore.

Note

  1. Setting the severity

to Ignore will

  1. to Ignore will cause all

vulns

  1. vulnerabilities with the selected CWE to have a status

of Hidden

  1. of Hidden;

they

  1.  they will thus not be included in

your

  1. the vulnerability count.

You can view

  1. View these in a

vuln

  1. vulnerability tree by expanding the Field Controls filter and checking the Hidden box within the Status section.

  1. To undo this change, simply delete the mapping created above (click Edit/Delete and then Delete).

Image Removed
  1. Image Added

Click

  1. Click the Save Mapping

and you will see your

  1. button and the newly created mapping will display in

the Vulnerability Types list

  1. the Vulnerability Type (CWE) list.

Image Removed
  1. Image Added

Custom Severity Text

An administrator can add custom text to vulnerability types as well. These could be general notes, instructions to developers, or any useful information for that particular vulnerability. This custom text will be included in any defects submitted for that vulnerability.

  1. To set custom text for a vulnerability, first click the Custom Text tab and click the Set Custom Text

tab

  1. button. This will display a modal dialog.

As

  1. Image Added

  2. Similarly as in the mappings section, begin typing the name of the vulnerability

and you will

  1. to be presented with matching CWE types. Select the vulnerability that requires custom text.

Image Removed

  2. Next, type in the desired text

you would like

  1. to

add

  1. be added.

Image Removed
  1. Image Added

  2. Click

the

  1. the Set Custom Text

button

  1.  button. This saves the text and attaches it to

your

  1. the vulnerability.

  2. Next to the

new

  1. newly added entry is

an

  1. an Edit/Delete

button that

  1.  button which allows for editing or removal of custom text entries.

Image Removed
  1. Image Added

Table of Contents

Table of Contents