Skip to main content

Checkmarx One Rating System for Severity and Risk Level

Checkmarx One assigns a Severity level for each vulnerability discovered by the Checkmarx One scanners:

  • SAST for static code analysis

  • API Security for static API Security analysis

  • SCA for open source packages analysis

  • KICS for static code analysis of Infrastructure as code.

The severity level assists to prioritize the need to mitigate the various threats that are discovered in the code. An initial severity level is assigned by Checkmarx One for each vulnerability, based on the expertise in assessing potential threats.

Users have the ability to manually adjust the severity level of specific vulnerabilities as they see fit, see Managing (Triaging) Vulnerabilities.

In addition Checkmarx One assigns an overall Risk level to each Project and Application based on the number of vulnerabilities discovered in the code and their severity.

The risk level indicates the overall risk of the software being compromised by malicious attacks. This gives a good indication of how AppSec methodology is applied in the code development life cycle.

Severity Level

The following is a description of the possible severity levels in Checkmarx One:

  • High – A vulnerability that constitutes a very serious weakness and is an easy target for an attacker. This includes vulnerabilities that enable attackers accessing sensitive data, bypassing access controls, executing nefarious commands on the host server etc.

    The following are several examples of High severity vulnerabilities that are covered by the SAST scanner: XSS, SQL Injection, Deserialization Vulnerability, and Second Order Command Injection.

    The vulnerable code sequence should be modified immediately to prevent potential attacks.

    6404309005.jpg
  • Medium – A vulnerability that constitutes a significant weakness which can be exploited by a skilled attacker. This includes vulnerabilities that enable attackers modifying application data, accessing restricted directories, redirecting to an untrusted site, accessing sensitive data etc.

    The following are several examples of Medium severity vulnerabilities that are covered by the SAST scanner: Parameter Tampering, Path Traversal, and Log Forging.

    The vulnerable code sequence should be modified once all High severity vulnerabilities are finished remediating.

    6404309012.jpg
  • Low – A vulnerability that indicates a lack of implementation of adequate security measures. The inadequacy of the security measures that are in place could possibly be exploited by a sophisticated attacker. This includes vulnerabilities that enable attackers decrypting secure transmissions, compromising user accounts, executing brute-force attacks etc.

    The following are several examples of Low severity vulnerabilities that are covered by the SAST scanner: Weak Crypto, Insecure Cookie, and Login Without Audit.

    To fully protect sensitive apps, it is recommended to remediate these vulnerabilities after attending to all the vulnerabilities categorized with a higher severity level.

    6404309018.jpg
  • Info (Only for SAST scanner) - A vulnerability that indicates a lack of compliance with security best practices. The inadequacy of the security measures that are in place could possibly be exploited by a sophisticated attacker. This includes vulnerabilities that enable attackers to upload content to a website, access sensitive information, “clickjack” a website etc.

    The following are some examples of Info level vulnerabilities that are covered by the SAST scanner: X-XSS-Protection, Application Entry Point, and Debug Mode Enabled.

    To achieve the highest level of application security for critical apps, you may want to remediate these vulnerabilities after attending to all vulnerabilities of greater severity.

    6404309024.jpg

Risk Level

The following is a description of the possible Risk levels in Checkmarx One:

  • High – The project contains one or more severe vulnerabilities that expose the code to imminent threat of being compromised by malicious attacks.

  • Medium – The project contains one or more moderately severe vulnerabilities that expose the code to possible threat of being compromised by malicious attacks.

  • Low – The project contains one or more security weaknesses that could possibly be exploited to compromise the code security.