Using the Vulnerability dimension

The Vulnerability dimension is used to identify and prioritize Common Vulnerabilities and Exposures (CVEs) data and non-CVE exposures. Based on ingested vulnerability scan data and your vulnerability priority and risk score settings, Concert assesses and prioritizes the vulnerabilities impacting your applications so you know which to address first. Using automation rules, you can automate ticket creation whenever Concert identifies a high priority CVE or exposure.

Before you begin

  • Define applications and environments in your Concert instance to assess and prioritize vulnerabilities in context of your application topology.
  • If a vulnerability does not have an associated application or environment, only the instance-level Admin users and the person who uploaded the corresponding vulnerability scan will be able to access the vulnerability.
  • You must have access to an application or environment to view its associated vulnerability data. This includes object-level Admin users as permissions must be set individually for each object (application or environment).

The steps below overview the core steps in using the Vulnerability dimension to highlight and prioritize CVEs and non-CVE exposures impacting your applications components, environments, and public access points.

Step 1: Reviewing CVE priority and risk score settings

You can adjust the vulnerability priority and risk score settings globally (Administration > Settings) or for each application (Inventory > Applications).
  • To adjust vulnerability settings globally, go to Administration > Settings.
  • To adjust vulnerability settings for each application, go to Inventory > Applications, click the name of the application, and then click the Settings tab.

From either of these pages, you can assign weights to individual risk score factors (IBM risk score, CVSS score, and/or a custom score) to adjust the way Concert calculates risk score for each identified CVE. You can also adjust the risk score ranges for each priority level. For example, if you have a high number of prioritized CVEs, you can increase the minimum value for the Priority 1 range to reduce the number of prioritized CVEs in focus. Note that these settings may impact the behavior of automation rules configured to address prioritized CVEs.

Step 2: Importing vulnerability scans

Using Prisma Cloud, CycloneDX, or other vulnerability scanning tool, you can generate a vulnerability scan file in one of the Concert supported formats, then upload the file to Concert to assess and prioritize CVEs or non-CVE exposures impacting your applications and environments.

Refer to the Supported vulnerability scan formats for details about all supported formats, and Upload a vulnerability scan for uploading instructions.

Step 3: Reviewing vulnerability data

After uploading a CVE or non-CVE exposure scan to Concert, there are several ways to view the detailed results and actions.
  • From the Vulnerability page (Dimensions > Vulnerability), you can view a detailed list of CVEs and non-CVE exposures.
    • The CVEs page provides a summary of CVEs impacting your applications, as well as a table containing details about each identified CVE—including its severity, CVSS score, number of open findings, the highest priority instance (finding) of the CVE and the risk score of that specific finding. Click the name of the CVE to view more details, including its individual blast radius in the topology view.
    • The Exposures page provides a summary of non-CVE exposure data; including the number of exposures found and the top priorities. It also includes a table containing details about the rules with which the scan detected a finding or deviation from the expected behavior. Expand each row to view details about each rule.
  • From the Arena view, you can use the toggles to show or hide Priority 1 CVEs and Priority 1 exposures vulnerability data in your application topology view. When enabled, you can see the specific components impacted by each vulnerability and hover over the vulnerability node to highlight the dependencies.
  • From the Applications page (Inventory > Applications), you can click the name of an application definition, repository, or build artifact to view the specific CVEs impacting it.

Use any of these methods to quickly assess and take action against the vulnerabilities associated with your applications as this informs your overall security and risk posture.

Step 4: Opening a ticket in your third-party tracking tool

As you review impacting CVEs and non-CVE exposures, you can open tickets directly in the Concert UI to populate your connected external ticketing system. Alternatively, you can create an automation rule to automatically create a ticket in the external system whenever Concert identifies a prioritized CVE. Both methods require you to establish a connection with your external issue tracking system, such as GitHub or Jira. Refer to Creating tickets to address vulnerabilities for details.