|lamaslany||Feature Request - Accepted Risk/Mitigated Risk tab|
|12th Aug, 2009 11:07|
User Since: 8th May, 2009
System Score: N/A
I am aware that it is possible to exclude an application with a known vulnerability, but that cannot be patched for whatever reason, from being identified as Insecure during a scan but this poses an issue.
If the application is not identified as Insecure there is no feedback as to the current state of that application.
For example: if App1 is deemed insecure due to a low risk vulnerability I might want to accept that risk and exclude it from my scans. If at a later date App1 is found to contain a vulnerability that I would class as an unacceptably high risk I would be none the wiser as PSI would not notify me of the increased risk (increase due to the increase in vulnerabilities rather than the subjective risk status of me the user).
It would be nice if there was a category for accepted/mitigated risks. This would allow users to see more clearly what known vulnerabilities were on their system.
An extra tab for accepted risks would be good. In keeping with the current PSI interface you might use blue textto represent no user-created accepted/mitigated risks, yellow for applications that have been deemed and acceptable risk and red for applications that have been deemed an acceptable risk but for which a new advisory is available (or application update if that is easier - the presence of a new update would dictate new vulnerabilities).
On the Overview page this might be graphically represented as an extra segment on the pie chart and coloured segment on the historic bar chart.
Such functionality might only be exposed on the Advanced interface mode to keep things simple for people with less technical knowledge.
It may also give Secunia another useful statistic - how many potentially vulnerable applications they have helped identify that could not be updated for whatever reason. The inferface might allow the user to provide some additional feedback on why they could not update the app. It might help to identify trend patterns in how users categorise risks. It could also offer a jump point to the forums to other users that might be trying to mitigate the risks similarly to the quick links for Insecure apps.