Davis Security Score
In the following, you'll learn about Davis Security Score (DSS), based on which Dynatrace calculates the severity of a vulnerability, so you can focus on fixing vulnerabilities that are relevant in your environment, instead of on those that have only a theoretical impact.
DSS is an enhanced risk-calculation score based on the industry-standard Common Vulnerability Scoring System (CVSS). Davis AI is designed to provide a more precise risk-assessment score by considering additional parameters such as public internet exposure and whether or not data assets are reachable from an affected entity.
Virtually all security products use the CVSS Base Score to set the severity of security vulnerabilities. CVSS was designed to be risk-averse, which means that, for any given vulnerability, the assigned score assumes the worst-case scenario. The CVSS specification does allow for some modifications based on environmental influences, but this is usually not factored into the risk score calculation, which leads to many high or critical vulnerability scores that the user needs to handle.
DSS is more accurate: Davis doesn't assume the worst-case scenario. Instead, Davis adapts the characteristics of the vulnerability to your particular environment, taking into consideration its structure and topology, and advises you as to which elements are at risk and how to handle security issues. With Davis AI, you can find out if the affected entity is reachable from the internet and if there is any data storage in reach of an affected entity.
DSS makes you more efficient: By including additional parameters in its analysis, Davis is designed to leverage data to more precisely calculate the security score and predict the potential risk of a vulnerability to your environment. By reducing the score of vulnerabilities that are considered less relevant for your environment, you gain time to focus on the most critical issues and fix them faster.
Vulnerability score calculation
DSS risk levels
The DSS scale ranges between 0.1 (lowest risk) and 10.0 (most critical risk):
- Low risk: Vulnerabilities ranging between 0.1 and 3.9
- Medium risk: Vulnerabilities ranging between 4.0 and 6.9
- High risk: Vulnerabilities ranging between 7.0 and 8.9
- Critical risk: Vulnerabilities ranging between 9.0 and 10.0
Calculation differences
Latest Dynatrace
The Davis Security Score (DSS) calculation currently differs in Grail-powered apps (such as Dashboards, Notebooks, Workflows) from Vulnerabilities and Third-Party Vulnerabilities.
-
In Vulnerabilities and Third-Party Vulnerabilities, DSS is assessed based on aggregating the scores of affected entities within the selected scope.
-
In Grail-powered apps, DSS is assessed based on the DSS of the affected entities within the selected scope.
Thus, the DSS (score and risk level) for vulnerabilities on Grail-powered apps can be lower than in Vulnerabilities and Third-Party Vulnerabilities.
Example:
A vulnerability with Critical
severity affects two processes, Process_1
and Process_2
.
- Evaluation of risk assessment:
Process_1
is exposed to the public internet but has no reachable data assets => DSS lowers the severity toHigh
.Process_2
isn't exposed to the public internet but has reachable data assets => DSS lowers the severity toHigh
.
- Final score:
- In Vulnerabilities and Third-Party Vulnerabilities, DSS aggregates the risk factors of the affected entities (the vulnerability is both exposed to the public internet and has reachable data assets), thus the severity remains
Critical
. - In Grail-powered apps, the score is determined by the affected entity with the highest DSS score. So if both affected entities have
High
severity, the severity is lowered from the initialCritical
toHigh
.
- In Vulnerabilities and Third-Party Vulnerabilities, DSS aggregates the risk factors of the affected entities (the vulnerability is both exposed to the public internet and has reachable data assets), thus the severity remains