Measuring, Communicating, and Eliminating Risk With TruRisk™ in Qualys Web Application Scanning (WAS)

In an era where cyber threats loom larger and more complex than ever, organizations demand not just defense but intelligent, cohesive strategies for managing cyber risks. With the Enterprise TruRisk Platform, Qualys reaffirmed its commitment to these needs by focusing its cybersecurity solutions on the holistic goals of measuring, communicating, and eliminating cyber risks across the extended enterprise. Each component within the platform is designed to synergize, propelling organizations toward a more secure and resilient digital future.

The introduction of the innovative risk scoring system, TruRisk in Qualys Web Application Scanning (WAS) exemplifies the approach to help both Security and IT teams in measuring, communicating, and eliminating risks associated with web applications and APIs throughout their environments. By providing a clear and actionable framework, TruRisk enables these teams to not just react to threats but proactively manage their web application security posture.

Understanding Web Application and API Security Risk Assessment

Web application and API security risk assessment is a critical component of modern cybersecurity strategies that involves identifying, analyzing, and evaluating potential threats that could exploit the vulnerabilities in web applications and APIs. These digital assets are often the entry points through which cybercriminals attempt to sneak into systems to steal data, disrupt operations, or cause other harmful outcomes. The method of assessing risks in web applications and APIs involves multiple layers and nuances, including vulnerability detection, vulnerability analysis to understand the nature, potential impact, and exploitability, contextual assessment and finally, risk scoring. Risk scoring in the context of web application and API security is a critical and systematic practice that helps organizations prioritize cybersecurity threats more effectively and guide remediation efforts.

However, a disconnect often arises between security and IT teams and executive management due to differing focuses and metrics used in risk assessment when prioritizing cybersecurity risks within an organization. This misalignment stems primarily from the focus on technical risk perspective of a vulnerability detection by technical teams and metrics of actual business impact or the context of the web application within an organization by executive teams. Therefore, relying solely on a singular metric system like CVSS (Common Vulnerability Scoring System), can be problematic. While providing a severity rating based on the technical assessment of a vulnerability, CVSS does not account for the business context.

There is a clear need for a unified risk metric that both technical and executive teams can use to assess and discuss the risk landscape, in addition to addressing the issues by considering both the technical severity of vulnerabilities and their actual business impact and the context of the web application within an organization.

What is Qualys TruRisk?

TruRisk is a comprehensive risk scoring system that integrates multiple critical factors to produce a more accurate reflection of the potential threats facing an organization based on normalization, correlation and contextualization of threat intelligence from 25+ threat data feeds and research from 120+ strong Qualys Threat Research team.

The TruRisk score is calculated using based on a variety of indicators like exploit type, asset criticality, location of the asset, weaponized and publicly exploitable vulnerabilities (CVSS/EPSS), malware, CISA KEV (Known Exploited Vulnerabilities), certificates, unauthorized software, external facing assets, assets exploited by malware threat actors, unauthorized ports, End of Life & End of Service for software, operating systems, or hardware, missing required software, and custom rule-based risk factors.

As a multidimensional risk score, TruRisk is intricately designed to offer a nuanced view of the vulnerabilities that pose the most significant threats to an organization's digital assets and help organizations with:

• Comprehensive Risk Measurement: TruRisk offers a holistic view of the risk landscape by integrating multiple factors into a single score. This comprehensive approach ensures that all aspects of a vulnerability's potential impact are considered, providing a more accurate assessment of which vulnerabilities need to be addressed as a priority.
• **Strategic Risk Communication:**By translating technical vulnerabilities into a clear risk score, TruRisk bridges the communication gap between cybersecurity teams and executive leadership. This facilitates more informed decision-making at the highest levels of an organization.
• Prioritized Risk Remediation: The prioritization of risks is based on a combination of business asset context and threat context correlated with detected vulnerabilities. With its ability to highlight the most critical vulnerabilities based on a multidimensional analysis, TruRisk helps organizations to focus their resources and remediation efforts are focused on vulnerabilities that pose the highest risk in the context of their potential impact on the organization.

Introducing TruRisk in Qualys WAS

TruRisk represents a significant leap forward in how cybersecurity risks are assessed and managed, particularly within the context of web applications and APIs. The introduction of TruRisk in the Qualys Web Application Scanning (WAS) is pivotal to prioritize vulnerabilities and misconfigurations for individual applications and groups of applications based on their actual risk or ‘true risk’ to the organization, considering various factors for a comprehensive risk assessment. TruRisk score also simplifies tracking, communication, and reporting over time, besides enabling organizations to concentrate on fewer critical findings for prioritized remediation, significantly reducing business risk.

The Elements for TruRisk Calculation

• Qualys Detection Score (QDS) - The Qualys Detection Score is a proprietary algorithm designed to assess the real risk that a vulnerability or misconfiguration poses to a specific, unique IT environment, factoring in various criteria, generating a QDS ranging from 0-100 for each unique Qualys ID (QID) assigned to a vulnerability. Factors included in the QDS calculation include CVSS ratings, Zero Day vulnerabilities, public exploits, active attacks, high lateral movement potential, ease of exploitation, potential for significant data loss, denial of service threats, presence of malware, and available exploit kits.
• Asset Criticality Score (ACS) - A Qualys tag determines the criticality score (ACS) for an app, reflecting its importance to business operations. For instance, in an e-commerce context, the shopping cart app is crucial as it directly affects revenue. Therefore, the ACS plays a vital role in calculating the overall app scores, emphasizing that applications with higher criticality require more immediate attention.
• Auto-assigned weighting factor (w) - The weighting factors are designed to ensure that more severe vulnerabilities have a proportionally greater influence on the overall TruRisk score of an application. Each QID is categorized intoCritical, High, Medium, and Low levels based on the severity and potential impact of the associated vulnerability.

TruRisk Score for an Application

The TruRisk score for an application is derived by integrating all risk elements—the QDS for the application and its criticality score—and combining them using a specified formula. The holistic approach of the calculation ensures that the resulting score accurately reflects the potential impact and urgency of addressing the risks associated with the application.

Along with the TruRisk scoring system, Qualys WAS also combines the categorization of vulnerabilities based on the OWASP Top 10 guidelines to help organizations identify risks associated with web applications and ensure remediation efforts on the most significant threats, ensuring optimal allocation of resources and enhanced protection. OWASP Top 10 lists the most critical web application security risks, such as injection, broken authentication, and sensitive data exposure for organizations to fix the types of vulnerabilities that are most commonly exploited and can cause the most damage.

The use of TruRisk along with OWASP Top 10 categorization in Qualys WAS facilitates a strategic approach to vulnerability management, focusing on prioritization of vulnerabilities that fall into these high-risk categories and remediation of the most severe and impactful risks. This way organizations can ensure that resources are used where they are most needed and effectively reduce the potential attack surface.

Benefits of TruRisk in Qualys WAS

The several significant benefits of implementing TruRisk scoring in Qualys WAS highlights its impact on efficiency, cost reduction, and strategic resource allocation.

Prioritization of vulnerabilities and misconfigurations

TruRisk fundamentally changes the approach to managing web application vulnerabilities by enabling a risk-based prioritization process. By continuously adjusting to new data and threat landscapes, fixed vulnerabilities and ignored detections, TruRisk allows organizations to respond dynamically and keep security measures both current and relevant.

Reduce more risk with fewer vulnerabilities

TruRisk scoring enables organizations to focus on vulnerabilities that truly matter, reducing the number to prioritize by up to 85%. By concentrating on critical vulnerabilities, cybersecurity teams can allocate their resources more judiciously and reduce operational costs associated with security management.

Save costs by consolidating threat intelligence feeds

By integrating over 25 threat intelligence feeds, TruRisk scoring helps consolidate and streamline threat intelligence, saving organizations over $100,000 in costs.

Reduce cyber insurance premium

TruRisk scoring provides a measurable and transparent way to assess and demonstrate reduced cyber risk across the organization. Lower TruRisk scores can lead to reduced cyber insurance premiums, reflecting the organization's lower risk profile and more robust security posture.

As cybersecurity threats continue to evolve in complexity and severity, having a robust, adaptable tool like TruRisk is essential for maintaining the integrity and security of digital assets. TruRisk is more than just a scoring system; it is a strategic asset that empowers CISOs, CTOs, and CIOs to protect their organizations with precision and foresight. The benefits of incorporating TruRisk into Qualys WAS are transformative, providing organizations with a powerful tool to enhance their security posture. By prioritizing critical vulnerabilities, simplifying communication, and aligning security measures with business objectives, TruRisk empowers organizations to tackle the challenges of modern cybersecurity with confidence and strategic insight.

Already a Qualys user? Explore TruRisk in Qualys WAS subscription or contact your Technical Account Manager (TAM) to know how Qualys WAS can work with your current Qualys subscription.