Manage a file's vulnerabilities

So FACT has identified the presence of potential vulnerabilities in your product.
What do you do now?

You'll need to determine if the vulnerability associated with your product file is actually exploitable and then create an exploit assessment to mitigate it.

 Important

To effectively manage vulnerability associations, you need to be familiar with your organization’s product files and product lines, and you need to have a firm understanding of vulnerabilities.

All new vulnerability associations have the status Affected. But FACT conveniently categorizes them as Unassigned so that you can easily locate the vulnerabilities that require your attention. Don't sit on these vulnerabilities too long though: after 30 days, FACT automatically moves them to the Affected tab.

You create an exploit assessment on a vulnerability that has been associated with your product. The exploit assessment helps communicate to your customers how the vulnerability impacts your product — or that it doesn't have an impact at all. It is also a way to share remediation steps that customers or site operators can perform to mitigate deficiencies.

Internally, you can use exploit assessments to help you triage vulnerabilities and work with your development team to investigate and plan remediations.

When you create an exploit assessment, you assign it a status. The first step is to flag a vulnerability as Under Investigation. This classification immediately improves the file's score while giving your development team the time they need to conduct their assessment.

You can create an exploit assessment for a single vulnerability, or you can group related vulnerabilities into a single exploit assessment.

After you complete your investigation, you can return to the file and edit the existing exploit assessment to update the status and provide additional information for users. You may find it more convenient to perform updates on the Exploit Assessments page.

FACT’s AI learns from the feedback you give, helping it recognize future vulnerabilities with higher confidence.

  1. In the sidebar, select Files > Product Files.
  2. Choose how you want the product files displayed: Group By Product or List All Files.
  3. Locate the product file whose vulnerabilities you want to view.

     Search Tip

    Use the filter and search features to display a set of files with specific attributes or help locate a particular file. See Filter and search for files for full instructions on using these features. 

    From the dashboard, use the links in the Vulnerabilities box to display a pre-filtered list of files. Click See Files to view all product files with associated vulnerabilities, or view a subset based on their vulnerability status.
    VisibilityReport_Vulnerabilities.png

  4. Click a file name or the file's score to open the information window.
    The Analysis Results tab displays general information on the selected product file, including vulnerabilities. 
  5. Click Manage Vulnerabilities in the Vulnerabilities box.
    The Vulnerabilities tab displays the vulnerabilities associated with the selected file. The vulnerabilities are sorted by their status.
  6. Select a tab to display the vulnerabilities you're interested in.
    When creating a new exploit assessment, you'll want to view the vulnerabilities on the Unassigned tab or the Affected tab.

    Unassigned
    The selected files are considered to be affected by the vulnerabilities listed but have not yet been human verified. (Product Supplier plan only)
    Under Investigation
    It is not yet known if the selected files are affected by the vulnerabilities listed, but the vulnerability association is currently being assessed.
    Affected
    The selected files are considered or known to be affected by the vulnerabilities listed. These may or not not have been human verified.
    Not Affected
    The selected files are known to be unaffected by the vulnerabilities listed.
    Fixed
    The selected files have been fixed for the vulnerabilities listed.
  7. Change the confidence level to adjust the number of vulnerability associations displayed.
  8. In the Grouped Vulnerabilities section, select how you want to view the vulnerabilities.
    You can view all vulnerabilities at once, or you can group them by product or component. The groupings help you locate vulnerabilities that are of particular priority or interest to you. There are three panels in the Grouped Vulnerabilities section of the window.
    See the article View the vulnerabilities associated with a file for a detailed description of these viewing options.
  9. Move through the panels from left to right to drill deeper into a vulnerability association.
    There is clickable content in the Grouped Vulnerabilities section that displays additional information without you needing to leave the information window. Make use of this information to assess both the file and the associated vulnerability.
  10. Click the check box to the left of the vulnerabilities you want to create the exploit assessment for.
    A panel opens above the Grouped Vulnerabilities section. It indicates the number vulnerabilities and components you have selected for the exploit assessment.
  11. If appropriate, select the components that are directly impacted by the selected vulnerabilities.

     Important

    To create an exploit assessment on components, your organization must own the selected components. If your organization uses or references the components, create the exploit assessment on the product file itself.

    When no components are selected, the exploit assessment is automatically created on the parent file.
  12. Click Create Exploit Assessment.
    The Create Exploit Assessment wizard opens.

    Create Exploit Assessment.png

    The left side of the wizard list the vulnerabilities and components that you are creating the exploit assessment for.
  13. Before you proceed, confirm that the vulnerabilities and components listed are correct.
  14. Complete each field in the wizard using the Next and Back buttons to move between the steps.
    Required fields are marked with a red asterisk (*). The help buttons and tooltips describe fields and define list options.
    There are two steps in this wizard:
    • Status Code & General Information
    • Details

       Tip

      Be descriptive when completing the Exploit Assessment Name field. This will make it easier to locate the exploit assessment later when you need to update it.

  15. Click Save.
    If your exploit assessment changed the status of the vulnerability association, FACT moves it to the appropriate category on the Vulnerabilities tab. It may take a few minutes for FACT to update the file score.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.