|
| 1 | +--- |
| 2 | +title: "Finding Priority Enhancement (Pro)" |
| 3 | +description: "How DefectDojo ranks your Findings" |
| 4 | +weight: 1 |
| 5 | +--- |
| 6 | + |
| 7 | +Additional Finding filters are available in DefectDojo Pro to more easily triage, filter and prioritize Findings. |
| 8 | + |
| 9 | +* Priority sorts Findings based on the context and importance of the Product they are stored in. |
| 10 | +* Risk considers the Product's context, with a greater emphasis on the exploitability of a Finding. |
| 11 | + |
| 12 | +## Finding Priority |
| 13 | + |
| 14 | +In DefectDojo Pro, Priority is a calculated field on Findings that can be used to sort or filter Findings according to Product-level metadata: |
| 15 | + |
| 16 | +- Product's Business Criticality |
| 17 | +- Whether the Product has an External Audience |
| 18 | +- Whether the Product is Internet Accessible |
| 19 | +- The Product's estimated revenue or user records count |
| 20 | + |
| 21 | +DefectDojo Pro's Finding Priority assigns a numerical rank to each Finding according to this metadata, to provide users with a stronger context on triage and remediation. |
| 22 | + |
| 23 | + |
| 24 | + |
| 25 | +The range of Priority values is from 0 to 1150. The higher the number, the more urgency the Finding is to triage or remediate. |
| 26 | + |
| 27 | +Priority numbers can be used with other filters to compare Findings in any context, such as: |
| 28 | + |
| 29 | +* within a single Product, Engagement or Test |
| 30 | +* globally in all DefectDojo Products |
| 31 | +* between a few specific Products |
| 32 | + |
| 33 | +## How Priority is calculated |
| 34 | + |
| 35 | +Every Active finding will have a Priority calculated. Inactive or Duplicate Findings will not. |
| 36 | + |
| 37 | +Priority is set based on the following factors: |
| 38 | + |
| 39 | +#### Product-Level |
| 40 | + |
| 41 | +- The assigned Criticality for the Product (if defined) |
| 42 | +- The estimated User Records for the Product (if defined) |
| 43 | +- The estimated Revenue for the Product (if defined) |
| 44 | +- If the Product has External Audience defined |
| 45 | +- If the Product has Internet Accessible defined. |
| 46 | + |
| 47 | +All of these metadata fields can be set on the Edit Product form for a given Product. |
| 48 | + |
| 49 | +#### Finding-Level |
| 50 | + |
| 51 | +- Whether or not the Finding has an [EPSS score](/en/working_with_findings/intro_to_findings/#monitor-current-vulnerabilities-using-cves-and-epss-scores-pro-feature), this is automatically kept up to date for Pro customers |
| 52 | +- How many Endpoints in the Product are affected by this Finding |
| 53 | +- Whether or not a Finding is Under Review |
| 54 | + |
| 55 | +If no relevant metadata at the Finding or Product level is set, the Priority level will follow the Severity for a given Finding. |
| 56 | + |
| 57 | +- Critical = 90 |
| 58 | +- High = 70 |
| 59 | +- Medium = 50 |
| 60 | +- Low = 30 |
| 61 | +- Info = 10 |
| 62 | + |
| 63 | +Currently, Priority calculation and the underlying formula cannot be adjusted. These numbers are meant as a reference only - your team's actual priority for remediation may vary from the DefectDojo calculation. |
| 64 | + |
| 65 | +## Finding Risk |
| 66 | + |
| 67 | + |
| 68 | + |
| 69 | +The Risk column on a Findings table is another way to quickly prioritize Findings. Risk is calculated using a Finding's Priority level, but also factors in a Finding's exploitability to a greater degree. This is meant as a less granular, more 'executive-level' version of Priority. |
| 70 | + |
| 71 | +The four assignable Risk levels are: |
| 72 | + |
| 73 | + |
| 74 | + |
| 75 | +A Finding's EPSS / exploitability is much more emphasized in the Risk calculation. As a result, a Finding can have both a high priority and a low risk value. |
| 76 | + |
| 77 | +As with Finding Priority, the Risk calculation cannot currently be adjusted. |
0 commit comments