Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the way we manage severity #728

Closed
gmontard opened this issue Mar 3, 2023 · 6 comments
Closed

Change the way we manage severity #728

gmontard opened this issue Mar 3, 2023 · 6 comments
Assignees
@cfabianski @elsapet
Labels
enhancement New feature or request
Milestone
Milestone 2

Comments

@gmontard
Copy link
Contributor

gmontard commented Mar 3, 2023
edited
Loading

We'd like to simplify the severity level of the rules, and defer any calculation leading to increase the severity level globally (depending on the sensitive data categories). This will allow simplifying the rules, reinforce common standard and later-on more easily allow user's custom severity configuration.

Impact on the Rule structure

The severity node will end-up being a single value, representing the rule default severity (when triggered).

Changing:

severity:
  default: low
  PHI: critical
  PDS: critical
  PD: high
  PII: medium

to:

severity: low

Dynamic severity calculation

Rules can get triggered depending on the triggered options, essentially associated with the direct (trigger: local) or global (trigger: global) presence of sensitive data, and sometimes even if none are present (trigger: presence or trigger: absence).

When a rule trigger is associated with sensitive data, we want to increase its default severity level in relation to the sensitive data categories (PHI, PDS, PD, PII).

Proposed algorithm

We allocate points to each rule severity (using Fibonacci numbers), level:

critical: 8
high: 5
medium: 3
low: 2
warning: 1

We also assign points to each sensitive data categories:

PHI: 3
PDS: 3
PD: 2
PII: 1

And a weight to the trigger type:

local: 2
global: 1
presence: 1
absence: 1

Ultimately, we perform this calculation and assign the closest lower severity score:

Final Severity = Rule Severity + (Sensitive Data Categories * Trigger Weigh)

Example:

Final Severity = Low default severity + (PHI * global trigger)
Final Severity = 2 + (3 * 1) = 5 = High

Final Severity = Medium default severity + (PII * local trigger)
Final Severity = 3 + (1 * 2) = 5 = High

Final Severity = High default severity + (PHI * local trigger)
Final Severity = 5 + (3 * 2) = 11 = Critical

Final Severity = Warning severity + (PDS * global trigger)
Final Severity = 1 + (3 * 1) = 4 = Medium

Final Severity = High severity + (n/a * presence trigger)
Final Severity = 5 + (0 * 1) = 5 = High
@gmontard gmontard added the enhancement New feature or request label Mar 3, 2023
@gmontard
Copy link
Contributor Author

gmontard commented Mar 3, 2023

Discussion item:

  • I'd be in favor of making the "severity" key optional for rules, and assign by default a "low" severity level. This will allow stopping having to mention it for the "trigger:local" rules, which are always "low" because ultimately severity is always calculated with the sensitive data presence

gmontard added a commit that referenced this issue Mar 3, 2023
@gmontard
Updating rules severity
d2b048e 
Associated with: #728
@gmontard gmontard mentioned this issue Mar 3, 2023
Merged
@gmontard
Copy link
Contributor Author

gmontard commented Mar 3, 2023

#730

@elsapet
Copy link
Contributor

elsapet commented Mar 6, 2023

To confirm @gmontard, if the final severity is warning (1), do we want to keep the current behaviour and not fail the CI?

e.g.

Final Severity = Warning severity + (n/a * global trigger)
Final Severity = 1 + (0 * 1) = 1 = Warning

@elsapet
Copy link
Contributor

elsapet commented Mar 6, 2023

I'd be in favor of making the "severity" key optional for rules, and assign by default a "low" severity level

I'm happy with this. Keeps the rules simpler 👍

@gmontard
Copy link
Contributor Author

gmontard commented Mar 6, 2023

@elsapet Absolutely about the warning, we keep current behavior on how we manage that, no changes.

@gmontard
Copy link
Contributor Author

gmontard commented Mar 6, 2023

PR #730 updated

@elsapet elsapet mentioned this issue Mar 6, 2023
Merged
4 tasks
elsapet pushed a commit that referenced this issue Mar 6, 2023
@gmontard @elsapet
Updating rules severity
904658c 
Associated with: #728
elsapet pushed a commit that referenced this issue Mar 6, 2023
@gmontard @elsapet
Updating rules severity
bafacf1 
Associated with: #728
@gotbadger gotbadger added this to the Milestone 2 milestone Mar 6, 2023
elsapet added a commit that referenced this issue Mar 6, 2023
@gmontard @elsapet
feat: update rules default severity (#730)
a68bd4f 
* Updating rules severity

Associated with: #728

* Cleaning rules by removing severity low (new default), updating doc

* feat: update rules severity (#739)

* feat: update rules severity

* chore: update snapshots for rules

* fix: linting

* fix: fix e2e snapshots

* fix: fix unit test

* chore: update snapshots

* chore: update snapshots

* fix: update severity according to CWE listing

---------

Co-authored-by: elsapet <elizabeth@bearer.sh>
@gotbadger gotbadger mentioned this issue Mar 6, 2023
Closed
18 tasks
@elsapet elsapet closed this as completed Mar 6, 2023
@gmontard gmontard mentioned this issue Mar 29, 2023
Closed
@markmichon markmichon mentioned this issue Apr 30, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cfabianski cfabianski

@elsapet elsapet

Labels
enhancement New feature or request
Projects
None yet
Milestone
Milestone 2
Development

No branches or pull requests
4 participants
@cfabianski @gmontard @gotbadger @elsapet