Determining test severity

Edit online

Considerations for determining and altering the severity of vulnerability assessment tests.

GuardiumĀ® Vulnerability Assessment is designed to help you to alter the severity for each vulnerability assessment test, including tests that are within different security assessments.

Defining test severity

The Guardium Vulnerability Assessment research and development team determines the severity of specific benchmarks such as Security Technical Implementation Guides (STIG) or Center for Internet Security (CIS), by considering the following references along with Common Vulnerability Scoring System (CVSS) scores for each specific Common Vulnerabilities and Exposures (CVE) test.

  • Type of vulnerability (CVE)
  • Configuration
  • Privileges
  • Authentication
  • Database vendor security guides (in collaboration with database vendor teams)
  • Extensive industry research and expertise
  • Compliance benchmarks (STIG and CIS)

A vulnerability assessment test can reference multiple benchmarks, vendors, and other security references in parallel.

Determining the severity of CRITICAL and MAJOR tests

  • Password default and password hardening policies are typically assigned with a CRITICAL severity as they are deemed to be important in making sure that database account authentication cannot be easily hacked.
  • Default database ports can be vulnerable to a variety of security risks, including brute-force attacks, exposure of sensitive information, malware distribution, and DDoS attacks.
  • Encryption protocols, encryption strengths, encryption at rest and various database defaults, which may have a negative impact to production databases.
  • The highest concentration of configuration tests is in the severity: CRITICAL (highest in security impact), MAJOR, CAUTION, MINOR, and INFO. Severity is assigned based on the individual configuration and the database type.
  • PUBLIC grants on objects are assigned the CRITICAL severity level based on CRITICAL system level roles, privileges, and authorities depending on the database types.
    • Most privilege tests are assigned with a CRITICAL or MAJOR severity.
    • Some object types or privileges might be more sensitive than others and they are assigned with different severity levels (CRITICAL, MAJOR, CAUTION, and MINOR).

Guardium Vulnerability Assessment patch tests are recommendations to database administrators to update the database server to the latest patch level when comparing to metadata derived from the quarterly Guardium Database Protection Service (DPS) update. For more information, see Installing IBM Guardium Database Protection Service updates.

Starting with the 2025 Q3 DPS update, new CVE tests are undergoing CVSS CVE scoring changes. Historically, the Guardium team used the CVSS Primary source from the NVD data feed. Going forward, the CVSS Secondary source is used if the CVSS Primary source is not available. The scores from these sources are based on the CVSS 3.1 scoring. When the new scoring is implemented, the Guardium team will review and make the appropriate adjustments for the new scoring in subsequent releases.

For more information on optimizing tests, see Tuning a test.