This blog post will provide an overview of Cyberfame security ratings and how people can use them to make informed decisions about protecting their online presence and using their cyber security rating to build trust & supply chain security reputation.
Today, anyone knows that online reviews and reputations can make or break a company. However, the same is true for any organisation or business's software security.
It can be difficult to get an accurate sense of how your business is doing in terms of online security, as there are many factors to consider where costly expert domain knowledge is required.
This is why we researched & developed Cyberfame — a platform for computational cybersecurity ratings, including deep source code, software supply chain and bill of materials ratings & graphs.
An example Cyberfame security supply chain graph.
Our platform assigns each software asset a score out of 10, which is easy to understand for non-experts and non-tech teams.
Cyberfame also provides detailed information about how each site fared in its assessment, as well as suggestions for how to improve the security of each site. Whether you’re a software developer at an NGO, a business owner or a CISO, Cyberfame is a valuable resource to clearly understand.
What are the minimum and maximum possible security ratings?
The current maximum possible rating is 13.5 out of 10, and the minimum rating is always 0. We are constantly refining our rating system to reflect the latest security best practices, so the scores tend to fluctuate over time.
Some tests award positive scores, such as +5 or +10 points, to encourage people to adopt new security technologies.
What is our rating methodology based on?
Our rating system is based on a 10-point scale and takes into consideration External Attack Surface Maps, Static and Dynamic Security Analysis as well as analysis of source code repositories for the attributes described in this article.
External Attack Surface Maps
- The external attack surface of a website is the weighted sum of all points of entry an attacker could use to gain access to the website or its data. This includes servers, APIs, applications, and any other devices or systems that are connected to the website.
Examples of an external attack surface graph.
- To assess the external attack surface of a website, we analyse how a website is configured and what security measures are in place. We then identify all potential entry points for an attacker and assess the risk associated with each one.
- For example, if a website is accessible through an FTP server, that server becomes a point of vulnerability. If that server is not properly secured, an attacker could potentially compromise the entire website.
- Similarly, if a website relies on outdated software or applications, that can also be a point of vulnerability. An attacker could exploit security flaws in those applications to gain access to the website or its data.
- Our analysis includes looking at the company’s public IP address space, domain names, and email servers. We also scan for open ports and services that could be exploited.
A zoomed-in external attack surface graph
It’s important to note that not all vulnerabilities are equal. Some pose a greater risk than others, so it’s important to weigh the risk against the potential reward for an attacker. In this process, we leverage human supervision and analyse a company’s exposure to potential attacks from outside forces given specific industry risk profiles.
Finally, we assess how you’ve configured and secured all potential entries, then identify the risks associated and suggest mitigations for each one so they don’t bring down the whole system.
Static Application Security Maps & Ratings
This component of the rating runs a human-machine interactive review of the source code for potential security issues. This includes looking at business logic errors, code quality, insecure cryptography, known vulnerabilities (CVE), hardcoded passwords, secret keys, and other sensitive information that could be exploited by an attacker.
- (SASA) is the process of identifying and addressing security vulnerabilities in software applications before they are deployed. Static analysis is a type of security assessment that is performed before deploying an application to production. This makes it a reliable and efficient way to find vulnerabilities early in the software development life cycle.
Example of SAS finfings.
- Static analysis can be used to identify both known and unknown vulnerabilities in an application. It can also help you determine how secure your application is, and what measures need to be taken to improve its security. Static analysis should be part of your overall vulnerability management program and should be used along with other assessment methods, such as dynamic analysis and penetration testing.
- There are several commercial static analysis tools available, but you can also use free open-source tools such as Semgrep and Sonarqube. These tools can help you get started with static analysis.
Dynamic application security analysis
- Dynamic Application Security Analysis tests an application in production for any vulnerabilities that could be exploited. This makes it possible to find vulnerabilities that may not be found during static analysis. Potential vulnerabilities include SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF).
- Dynamic analysis can also help you determine how secure your application is, and what measures need to be taken to improve its security. There are several commercial dynamic analysis tools available, but you can also use free open-source tools such as OWASP ZAP or W3AF. These tools can help you get started with dynamic analysis.
- Dynamic application security analysis (DASA) should be part of your overall vulnerability management program and should be used along with other assessment methods, such as static analysis and penetration testing.
Summary
Security ratings help everyone in an organisation to measure and prioritise focus on Cyber Security without compromising operational security and the least privilege policies.
A 0–10 rating displays information, non-cybersecurity experts can understand and helps everyone from Sales, Marketing Folks over Developers, DevOps to CISOs/CEOs to be continuously in the loop and aware of a company's vulnerability surface and security hygiene.
Cyberfame enables more confidence in assessing your own and others' cyber security postures but also is a great trust builder when expanding the supply chain, business network or when establishing partnerships.
Especially for open-source developers, the Cyberfame security rating of a GitHub repository can help identify potential clients and partnerships.
If you want to screen your repository or website now for its Cyberfame rating, visit cyberfame.io to get your rating today.
Thanks for reading!
Top comments (0)