Risk database

In the risk database, you can easily search for existing findings. The dynamic linking to client names simplifies the reuse of findings. This allows you to recycle what you have used before and gives you the ability to customize it to the specific client.

To create a new risk

More information about risk properties:

Description

Here, you can provide a more detailed explanation of the risk and, for example, clarify to the client what the risk entails.

Different standards frameworks

For each category, you have the option to place the risk within a standards framework. Choose from these systems to align the risk with a specific standards framework.

Through the CVSS, vulnerabilities are assigned a score on a scale from one to ten, with ten being the highest. This immediately indicates the severity of a vulnerability. The score is explained in detail here. Below is an image of a potential risk.

Within the risk database, the Baseline Information Security for the Public Sector (BIO) has also been added. This BIO is used within the government for information security. The complete BIO has been incorporated, making it easy to add something. It can look like this:

The ASVS is a list of security requirements and controls. This makes it clear whether and where there are risks.

These standards frameworks are also visible depending on the category.

Recommendation

Here you can indicate which recommendations are available for a specific risk. You can also provide further details and explanations for these recommendations.

Notes

This section provides space for comments that may not fit elsewhere.

Reproduction

Reproduction gives you the ability to show step by step how you arrived at a risk. You can easily move between steps using the drag-and-drop system.

There is also a dedicated space added to insert code and upload evidence.

PentestPortal - EN