Advanced Acceptance Rules for Risks
Finely control and automate risk acceptance in our risk management system
Finely control and automate risk acceptance in our risk management system
Not all risks are threatening, in fact, some risks are acceptable. Port 80 and port 443 are frequently open by design for any webserver. A timestamp disclosure in a piece of javascript may not matter at all. It's in these cases that you might want to mark a risk as acceptable.
HostedScan provides two ways of marking a risk as acceptable:
This second case is where advanced acceptance rules are created. These rules let you control the fine-grained criteria for when a risk might be accepted, or even automatically accept potential risks that may be discovered so long as they meet your criteria.
To get an idea of when you might want to do this, here are some good examples we have seen:
With the accept risk rule editor, you have a choice to make:
If you're fine with choice one, hit the Accept button. If you would like to do something more advanced expand the Advanced Rule Editor section.
The code editor allows crafting any arbitrary query to match against your total set of risks. The query is structured in a JSON format. The query is composed of Mongoose like operators, formatted similarly to a mongoose query.
Try these three steps to familarize yourself
With advanced rule editor open you will see a couple of options:
The edit buttons along the top row help to quickly change the risk selected, and the targets selected. Try using these buttons, and see how the code in the editor changes, along with the Matched Risks list.
The operators roughly match what is available for MongoDB queries
The following operators are available to use for writing a query to match risks for acceptances:
Operator | Type | Description |
---|---|---|
$all | array | requires all values in the array to be values in the property as well. Used on properties that are also an array. { "$all": ["prod", "webserver"] } |
$and | array | requires an array of expressions to all be true |
$elemMatch | object | takes an expression and checks that an element on the property matches the expression. I.e. { "$elemMatch": { "port": } } |
$eq | any | the property matched equals the value in the query |
$exists | boolean | the property checked needs to exist if "true", otherwise reject values that do not exist using "false" |
$gt | number or string | the property checked needs to be greater than the value in the query |
$gte | number or string | the property checked needs to be greater than or equal to the value in the query |
$in | array | the property matched needs to be one of the values $in the array for the query |
$lt | number or string | the property checked needs to be less than the value in the query |
$lte | number or string | the property checked needs to be less than or equal to the value in the query |
$mod | array | the modulus of the property is equal to the value. I.e. [4, 0] means "the property modulus 4 equals 0" |
$ne | any | the property matched does not equal the value in the query |
$nin | array | opposite of $in, the property matched must not be one of the values in the array for the query. |
$nor | array | opposite of OR: { $nor: [{ _id: "12345" }, { _id: "67890" }] } |
$not | object | Not a given expression. I.e. { "$not": { "$size": 3 } } |
$or | array | OR array of expressions |
$size | number | the property array matches the length specified in the value in the query |
$regex | string or regular expression | the property matches the given regular expression |
HostedScan enables companies to meet compliance and security goals.