Prioritization Criteria (Stages)
Prioritization Criteria (Stages)
Any funnel is composed of criteria that produce the different stages of the funnel.
Out-of-the-box criteria
Xygeni provides several out-of-the-box criteria, although you can add your own custom criteria.
Reachability
Auto
Technical
Issue
Exploitability
Auto
Technical
Issue
Fixable
Auto
Technical
Issue
In application code
Is this vulnerability is app code (i.e. not in tests code)
Auto
Technical
Issue
Deployed
Is this application being deployed? Xygeni can detect if the application is being deployed to some resource, but you can also manually assign the correct value
Both
Technical
Project
Active Development
Is this application actively under development? An application is considered by Xygeni as "Active Development" if the latest commit is not older than 90 days. You can manually change this value
Auto
Technical
Project
Internet Exposed
Is this application exposed to the Internet?
Both
Technical
Project
Legacy
Is this a legacy (i.e. out of active maintenance) application?
Manual
Technical
Project
Product Unit
To which Product Unit this application belongs?
Manual
Business
Project
Business Value
What is the Business value of this application?
Manual
Business
Project
Provider
Who is the provider of this application?
Manual
Business
Project
Architecture
Which is the technical architecture of this application?
Manual
Business
Project
Business Area
To which Business Area (or dept) does the application belong to?
Manual
Business
Project
Any custom criteria
Manual
Business
Project
Criteria's Specifics
Additionally to the general meaning of the above prioritization criteria, every criteria has a special meaning depending on the issue type that applies.
Fixable
A vulnerability is Fixable if there is a safe component available remediating the vulnerability. This criteria removes from previous criteria those vulnerabilities with no available fixes.
Always True
Always True
Always True
In application code
The scope of the component is for production, not in test or compile scopes. Users can configure specific scopes used in their organization.
The issue is located into a file with a path that does not contain any "test" directory
The issue is located into a file with a path that does not contain any "test" directory
The issue is located into a file with a path that does not contain any "test" directory
Reachability
The vulnerability is reachable because the application code execution reaches the vulnerable code in the component
It includes issues that represent a security issue such as PPE, confusing names, or issues related to permissions. See each detector information for more details.
The secret is located in: - a file under version control - an image
It includes Iac security issue types (Appsec, Encryption, Gensec, IAM, Network, Secrets...) It discards issues related to best practices (as Convention).
Check detectors documentation for more details
Exploitable
This criteria includes those CVEs with a EPSS score bigger than 0,1.
Same as Reachability
Includes any secrets that have been verified or can not be verified.
All secrets that Xygeni verifies as inactive are discarded by this criteria.
Same as Reachability
Active Development
The project has commits in the last 90 days.
The project has commits in the last 90 days.
The project has commits in the last 90 days.
The project has commits in the last 90 days.
Deployed
A component's vulnerability is considered as Deployed if Xygeni detects a pipeline or workflow that deploys (checkout) the project, image or package.
Always True
A secret is considered as Deployed if it appears in a public repo or image.
An IaC issue is considered as Deployed if Xygeni detects a pipeline or workflow that uses the IaC configuration to deploy the infrastructure
Internet Exposed
Any component vulnerability is considered as Internet Exposed if the project Internet Exposed property value is set to true.
The repository with automations is public, or the issue is associated with the infrastructure.
The repository, image or package is public.
Any IaC issue is considered as Internet Exposed if the project Internet Exposed property value is set to true.
Custom criteria
Besides the above out-of-the-box criteria, you can create your own custom criteria. To do it, you just need to add custom properties to your applications (projects in Xygeni’s terminology) and those properties will be available as funnel criteria.
Last updated