Prioritization Criteria (Stages)

Prioritization Criteria (Stages)

Any funnel is composed of criteria that produce the different stages of the funnel.

Out-of-the-box criteria

Xygeni provides some out-of-the-box criteria, although you can add your own custom criteria.

Nature (Technical vs Business)

  • Some criteria have a technical nature (Technical) while some others are business-oriented (Business) and their meaning has to do with custom categorization.

Calculation (Auto vs Manual)

  • Others criteria are bussiness-oriented and should be supplied by user (Manual) .

  • There are also some criteria that, although are initially calculated by Xygeni, can be further modified by user (Both).

Scope (Project vs Issue)

  • Some criteria applies to all issues of a Xygeni project, i.e. the concrete value for an issue depends on some characteristic of the project to which belongs (Project)

  • Instead, other criteria apply individually to every issue (Issue)

Criteria
Description
Calculation
Nature
Scope

Reachability

Auto

Technical

Issue

Exploitability

Auto

Technical

Issue

Fixable

Auto

Technical

Issue

In application code

Is this vulnerability is app code (i.e. not in tests code)

Auto

Technical

Issue

Deployed

Is this application being deployed ? Xygeni can detect if the application is being deployed to some resource, but you can also manually assign the correct value

Both

Technical

Project

Active Development

Is this application actively under development ? An application is considered by Xygeni as "Active Development" if latest commit is not older than 90 days. You can manually change this value.

Auto

Technical

Project

Internet Exposed

Is this application exposed to the Internet ?

Both

Technical

Project

Legacy

Is this a legacy (i.e. out of active maintenance) application ?

Manual

Technical

Project

Product Unit

To which Product Unit this application belongs ?

Manual

Business

Project

Business Value

What is the Business value of this application ?

Manual

Business

Project

Provider

Who is the provider of this application ?

Manual

Business

Project

Architecture

Which is the technical architecture of this application ?

Manual

Business

Project

Business Area

To which Business Area (or dept) does the application belong to?

Manual

Business

Project

Any custom criteria

Manual

Business

Project

We are continuously adding new criteria so you will likely find more criteria than explained at the time of writing this document.

Criteria's specifics

Additionally to the general meaning of the above prioritization criteria, every criteria has a special meaning depending on the issue type that applies.

Criteria
Open Source
Supply Chain
Secrets
IaC

Fixable

A vulnerability is Fixable if there is a safe component available remediating the vulnerability. This criteria removes from previous criteria those vulnerabilities with no available fixes.

Always True

Always True

Always True

In application code

The scope of the component is for production, not in test or compile scopes. User can configure specific scopes used in their organization.

The issue is located into a file with a path that does not contain any "test" directory

The issue is located into a file with a path that does not contain any "test" directory

The issue is located into a file with a path that does not contain any "test" directory

Reachability

The vulnerability is reachable because the application code execution reach the vulnerable code in the component

It include issues that represent a security issue such as PPE, confusing names, or issues related to permissions. See each detector information for more details.

The secret is located in: - a file under version control - an image

It includes Iac security issue types (Appsec, Encryption, Gensec, IAM, Network, Secrets...) It discards issues related to best practices (as Convention).

Check detectors documentation for more details

Exploitable

This criteria includes those CVEs with a EPSS score bigger than 0,1

Same as Reachability

Includes any secrets that has been verified or can not be verified.

All secrets that Xygeni verifies as inactive are discarded by this criteria.

Same as Reachability

Active Development

The project has commits in the last 90 days

The project has commits in the last 90 days

The project has commits in the last 90 days

The project has commits in the last 90 days

Deployed

A component's vulnerability is considered as Deployed if Xygeni detects a pipeline or workflow that deploys (checkout) the project, image or package

Always True

A secret is considered as Deployed if it appears in a public repo or image

An IaC issue is considered as Deployed if Xygeni detects a pipeline or workflow that uses the IaC configuration to deploy the infrastructure

Internet Exposed

Any component vulnerability is considered as Internet Exposed if the project Internet Exposed property value is set to true.

The repository with automations is public, or the issue is associated to the infrastructure

The repository, image or package is public

Any IaC issue is considered as Internet Exposed if the project Internet Exposed property value is set to true.

For any criteria with Business nature, its value depends on the value of the property and CUSPs associated to the project. Adjustments are available in the properties of the project in Project Management.

Custom criteria

Besides the above out-of-the-box criteria, you can create your own custom criteria. To do it, you just need to add custom properties to your applications (projects in Xygeni’s terminology) and those properties will be available as funnel criteria.

See Project Custom Properties for further info.

PreviousCustom FunnelsNextReachability

Last updated