Davis Security Score

In the following, you'll learn about Davis Security Score (DSS), based on which Dynatrace calculates the severity of a vulnerability, so you can focus on fixing vulnerabilities that are relevant in your environment, instead of on those that have only a theoretical impact.

DSS is an enhanced risk-calculation score based on the industry-standard Common Vulnerability Scoring System (CVSS). Davis AI is designed to provide a more precise risk-assessment score by considering additional parameters such as public internet exposure and whether or not data assets are reachable from an affected entity.

Virtually all security products use the CVSS Base Score to set the severity of security vulnerabilities. CVSS was designed to be risk-averse, which means that, for any given vulnerability, the assigned score assumes the worst-case scenario. The CVSS specification does allow for some modifications based on environmental influences, but this is usually not factored into the risk score calculation, which leads to many high or critical vulnerability scores that the user needs to handle.

DSS is more accurate: Davis doesn't assume the worst-case scenario. Instead, Davis adapts the characteristics of the vulnerability to your particular environment, taking into consideration its structure and topology, and advises you as to which elements are at risk and how to handle security issues. With Davis AI, you can find out if the affected entity is reachable from the internet and if there is any data storage in reach of an affected entity.

DSS makes you more efficient: By including additional parameters in its analysis, Davis is designed to leverage data to more precisely calculate the security score and predict the potential risk of a vulnerability to your environment. By reducing the score of vulnerabilities that are considered less relevant for your environment, you gain time to focus on the most critical issues and fix them faster.

Vulnerability score calculation

Starts from the CVSS base.

Calculation starts from the base CVSS Score, and takes into consideration metrics pertaining to
- Public internet exposure: Attack vector (AV)
- Reachable data assets: Confidentiality (C) and Integrity (I)
The current supported CVSS version standard is v3. Some older vulnerabilities still use CVSS v2, which is deprecated. In this case, the Davis Security Score can't be assessed.
Adds context to public internet exposure.

To influence the security score of a third-party vulnerability based on the public internet exposure, Davis uses the Modified Attack Vector (MAV) metric. This metric reflects the context by which vulnerability exploitation is possible.
- If the original AV value shows exploitation is possible via network access, but, based on the topology information extracted from your environment, the service isn't actually exposed, Davis lowers the MAV value.
- In all other cases, the MAV value doesn't differ from the original AV value.
Adds context to reachable data assets.

To influence the security score of a third-party vulnerability based on reachable data assets, Davis uses the Modified Confidentiality (MC) and Modified Integrity (MI) metrics. These metrics reflect the actual accessibility of a reachable data asset to an affected service.
- If the original C and I values show that data exposure or manipulation are possible, but, based on Davis' evaluation, there aren't any reachable data assets accessible by the affected service, Davis lowers the corresponding MC and MI values.
- In all other cases, the MC and MI values don't differ from the original C and I values.
Calculates the final score, based on the previous results.
- Davis modifies the scores on the service level. If a vulnerability has more than one affected service, the highest score is used.
- DSS is never higher than the base CVSS. The values for public internet exposure and reachable data assets can only lower the score or leave it unchanged.

Example calculation on the details page of a vulnerability:

Davis Security Score calculation

The score of a code-level vulnerability is always 10 and the risk always Critical because it's considered to be exploitable at any time.

For example, on a login page where the password hasn't been sanitized before sending it to the database, thus allowing an SQL injection, it's only a matter of time until an attacker finds this vulnerability and exploits it.

DSS risk levels

The DSS scale ranges between 0.1 (lowest risk) and 10.0 (most critical risk):

Low risk: Vulnerabilities ranging between 0.1 and 3.9
Medium risk: Vulnerabilities ranging between 4.0 and 6.9
High risk: Vulnerabilities ranging between 7.0 and 8.9
Critical risk: Vulnerabilities ranging between 9.0 and 10.0

Calculation differences

Latest Dynatrace

The Davis Security Score (DSS) calculation currently differs in Grail-powered apps (such as Dashboards, Notebooks, Workflows) from Vulnerabilities and Third-Party Vulnerabilities.

In Vulnerabilities and Third-Party Vulnerabilities, DSS is assessed based on aggregating the scores of affected entities within the selected scope.
In Grail-powered apps, DSS is assessed based on the DSS of the affected entities within the selected scope.

Thus, the DSS (score and risk level) for vulnerabilities on Grail-powered apps can be lower than in Vulnerabilities and Third-Party Vulnerabilities.

Example:

A vulnerability with Critical severity affects two processes, Process_1 and Process_2.

Evaluation of risk assessment:
- Process_1 is exposed to the public internet but has no reachable data assets => DSS lowers the severity to High.
- Process_2 isn't exposed to the public internet but has reachable data assets => DSS lowers the severity to High.
Final score:
- In Vulnerabilities and Third-Party Vulnerabilities, DSS aggregates the risk factors of the affected entities (the vulnerability is both exposed to the public internet and has reachable data assets), thus the severity remains Critical.
- In Grail-powered apps, the score is determined by the affected entity with the highest DSS score. So if both affected entities have High severity, the severity is lowered from the initial Critical to High.

Use case

Prioritize vulnerabilities based on DSS.