- 12 Apr 2023
- 5 Minutes to read
- Updated on 12 Apr 2023
- 5 Minutes to read
The risk scoring topic gives a high-level overview of what likelihood and impact mean in Traceable and how the risk score is calculated. The risk score of an API Endpoint helps you to prioritize your resources in securing the APIs. A risk score is a dynamic metric that is calculated from the likelihood and impact of a potential API Endpoint exploit. The likelihood is the probability or chance for an API to be exploited. The impact is the effect that an API Endpoint breach may have on your infrastructure and organization.
Traceable calculates a risk score for each discovered API Endpoint. A high-risk score does not necessarily mean that the Endpoint is under attack. A high-risk score provides you an insight to prioritize compensating controls and monitoring activities.
You can customize the risk score in Traceable by configuring the following:
- Configure how much each factor contributes to the likelihood and impact scores from their respective tabs.
- (Optional) Modify the Risk Lookup Table or configure how the quantitative risk score translates into risk level from the Calculations tab.
Configurable sections in risk score
In the entire risk-scoring exercise, the following are the categories in which you can adjust the values:
- Enable or disable factors for likelihood along with the score for each subfactor
- Enable or disable factors for impact along with the score for each subfactor
- Values in the lookup table
Likelihood of exploit
You can independently set the likelihood component of risk. The likelihood, as explained earlier, is the probability of a vulnerability being exploited by a threat. Traceable provides the following factors and subfactors of likelihood.
An API is considered more risky or accessible insecurely if it is external facing, has no or weak authentication, and can be accessed over HTTP. The API access likelihood score is divided into two parts, external or internal APIs and whether the APIs are encrypted or non-encrypted. Authentication can be weak or strong, or it can be absent. You can provide a score that suits your API environment. For example, a 0 score for strong authentication for an external API means that such an API would not have any contribution to the API access likelihood score.
API vulnerabilities refer to security weaknesses or flaws that exist within the interfaces of an application or system that allow for communication with other software or systems. These vulnerabilities can be exploited by attackers to gain unauthorized access to sensitive data, execute malicious code, or disrupt the functioning of the system. Traceable categorize vulnerabilities as High, Critical, Medium, or Low with a score for each of them. You can customize this score to suit your API environment.
Ease of resource discovery
Ease of resource discovery regarding APIs being exploited refers to the degree to which the resources and endpoints provided by an API can be easily discovered and accessed by attackers or malicious actors seeking to exploit vulnerabilities in the API. If a resource is easily discoverable, it is more likely to be exploited easily.
Calculating likelihood score
Each subfactor has a score between 0-10. Among the subfactors, Traceable assigns the highest score among subfactors as the factor score. The likelihood score is calculated by taking the average of the highest score of all the enabled factors.
Subfactor with the highest configured score
External non-encrypted API with no authentication
Ease of resource discovery
No path parameters
Total score =10+10+7= 27
Likelihood score =27/3=9
A score of 9 indicates that there is a 90% chance that your API would be exploited for the above reasons.
Impact of exploit
Impact defines the effect a breach or exploitation of vulnerability will have on your organization and business. The impact score is one of the key components in carrying out the business impact analysis (BIA) of an organization. Traceable provides the following factors and subfactors of impact.
Sensitivity of data
Sensitive data is any type of information that is considered confidential or private and that should be protected from unauthorized access or disclosure. A sensitive data exploit directly impacts the business. Traceable categorizes sensitive data as high, critical, medium, and low.
Spatial impact regarding API exploit refers to the extent and scope of the impact that an API vulnerability or exploit can have on the systems, applications, and users that rely on the API. The spatial impact can be localized to a specific system or application, or it can have a wider impact across multiple systems, applications, and users. In Traceable, the Spatial Impact is calculated from the number of other APIs that depend on the exploited API.
Labels form another impact category. You can, based on your understanding of your APIs, assign a score between 0-10 to the labels. This score would apply to all the API Endpoint to which you apply this label.
The impact score is calculated in the same way as the likelihood score. For more information, see Calculating likelihood score.
Calculating the risk score for an endpoint consists of the following two steps:
- Configure or update the lookup table. Traceable provides default values in the lookup table which will work for the majority of use cases. Before you change the default values, make sure that you understand your API environment and the possible scores combinations of likelihood and impact. The values can be between 0-10.
- Find the intersection value of likelihood and impact in the lookup table to determine the risk score.
Lookup table and risk level
The lookup table maps the levels of likelihood and impact to an overall risk score value (numeric). From the Traceable platform's home page, navigate to Catalog → Settings → Risk Scoring → Calculations tab to customize the Lookup table. Customizing the lookup is completely optional.
Calculate risk score
Based on the parameter value for each factor of likelihood and impact, the score for each factor is:
- Likelihood score = (10+10+7)/3 = 27/3 = 9
- Impact score = (10+9+10)/3 = 29/3 = 9.66. This would be approximated to the nearest integer, that is, 10.
The risk score from the lookup table would be 10 based on the intersection of a likelihood score of 9 (critical) and an impact score of 10 (critical).
View the risk score
The risk is calculated based on the configurations that you completed above. The configurations affect the risk score of future traffic. It does not impact the current risk scores of an API endpoint until that API endpoint receives fresh traffic after the configurations were changed. You can view the risk score and the reason for that score by navigating to Catalog → API Endpoints page.
The above screenshot shows that the risk score is 8 along with the contributing factors to that score. As you can see that it is an external API with no authentication. To correct your API definition, you can file a JIRA from this screen. For more information on Traceable's JIRA integration, see JIRA integration.
You can also view the contributing score of each category by navigating to the Risk tab. The page shows the highest category score that contributes to the overall risk score.