Additional Field for Business criticality
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
In certain cases, users want to measure the severity levels of vulnerabilities as it relates to Business criticality.
Changing or overriding doesn't work, since customers would rather not change the severity but instead add a new field. This is because they are looking at the real-world risk with the new field, and the theoretical severity of the scan didn't technically change.
Proposal
Add a separate field to indicate business impact that would allow them to act on vulnerabilities in regard to how it impacts their organization. This would allow them to generate impact severity reporting.
Veracode rating system uses a five-point scale, from Very High (5) to Very Low (1), to indicate the importance to the organization of securing an application. You set the business criticality for an application when you create an application profile. In general, applications that require higher security have a higher business criticality.