Prioritization Funnels
Last updated
Last updated
Xygeni’s Prioritization Funnels helps you to easily filter and identify those issues most relevant, helping you to concentrate on “fixing what matters”.
Given a full set of security issues, Prioritization Funnels allows you to specify “prioritization criteria” that will be automatically applied to the full set of issues, discarding those issues that don’t meet the criteria. The resulting set after applying the criteria will contain the most important issues to remediate.
Xygeni’s Prioritization Funnels are available for any kind of security risks and are available under the Risks sections and clicking on the Prioritization funnel button .
As you can see in the above example image, after applying some prioritization criteria, the initial 8,450 issues are reduced to 329.
The principal funnel (feed with all types of risks) is available at All Risks menu option (at the top-left). But you can also find risk-specific funnels under any “Risk” option in the different products available at the left-menu (Risks (SAST), Risks (SCA), Risks (CI/CD), Secrets and Infrastructure as code) .
Xygeni comes with some out-of-the-box predefined Funnels
At the top filters of any funnel, click on “Funnel” filter and the available funnels are displayed:
** Xygeni General Prioritization
** Xygeni CI/CD Prioritization
** Xygeni IaC Prioritization
** Xygeni SAST Prioritization
** Xygeni Secrets Prioritization
Out-of-the-box funnels are preceded with ** to differentiate to Custom Funnels and cannot be modified.
Select anyone and the funnel will be refreshed with the new criteria.
By default, the funnel will be displayed based on “Severity”, i.e. it will show data grouped by severity (Critical, High, etc.). But (by clicking on “Split by” filter), you can switch the graphics to be based on Category (Malicious Code, IaC, Secrets, CI/CD, Open Source, etc)
You can even further filter by selecting specific Categories
At the bottom of the page, there is a filter box where you can select which issues you want to see.
One of them is Funnel Phase, which allows you to filter by any specific funnel criteria. If you select any of them, the issues list will contain the items filtered until the selected criteria
Once you select one of the funnel phases, the table will list the issues contained into the selected phase. Then, you can further refine your search by selecting additional filters.
With Xygeni, you can create your own custom Prioritization Funnels
Then, you can either create a New Funnel, Clone the selected funnel or Delete the selected funnel. Out-of-the-box funnels cannot be either modified or deleted.
Click on New Funnel and give a name to that funnel.
You can also use this new funnel as a “default” funnel for whatever type of risk.
After naming the new funnel, you add the criteria by selecting among the available ones in “Select a stage to add” .
Once you select one , clock on the plus sign (+) to add it to the funnel.
You will see some values for the criteria (true and false in the example). You decide which value must be met by any issue to “pass” the criteria. For example, if I select Reachability: true means that any reachable issue will pass this stage of the funnel.
You can add as many criteria (or stage) as you want, but remember that order is important. Criteria are applied from top to bottom. You can drag-and-drop the criteria to change the order.
For those multivalued criteria, selecting several options works as an “OR”
When done, click on Save button and your new funnel will be displayed and among the available ones.
Any funnel is composed of criteria that produce the different stages of the funnel.
Xygeni provides some out-of-the-box criteria, although you can add your own custom criteria.
Some criteria are automatically calculated by Xygeni (Auto).
Some criteria are bussiness-oriented and should be supplied by user (Manual) .
Some criteria can be initially calculated by Xygeni but can be modified by user (Both).
We are continuously adding new criteria so you will likely find more criteria than explained at the time of writing this document.
Besides the above out-of-the-box criteria, you can create your own custom criteria. To do it, you just need to add custom properties to your applications (projects in Xygeni’s terminology) and those properties will be available as funnel criteria.
See Project Custom Properties for further info.
Click on and the Prioritization Funnel Configuration panel will open.
| Criteria | Automatic / Manual | Description |
|---|---|---|
Reachability
Auto
Is this vulnerability reachable ? (see Reachability for further details)
Exploitability
Auto
Is this vulnerability exploitable ? (see Exploitability for further details)
Fixable
Auto
Is this vulnerability fixable ? (see Automatic Fix for further details)
In application code
Auto
Is this vulnerability is app code (i.e. not in tests code)
Deployed
Both
Is this application being deployed ? Xygeni can detect if the application is being deployed to some resource, but you can also manually assign the correct value
Active Development
Both
Is this application actively under development ? An application is considered by Xygeni as "Active Development" if latest commit is not older than 90 days. You can manually change this value.
Internet Exposed
Manual
Is this application exposed to the Internet ?
Legacy
Manual
Is this a legacy (i.e. out of active maintenance) application ?
Product Unit
Manual
To which Product Unit this application belongs ?
Business Value
Manual
What is the Business value of this application ?
Provider
Manual
Who is the provider of this application ?
Architecture
Manual
Which is the technical architecture of this application ?
Business Area
Manual
To which Business Area (or dept) does the application belong to?
