Change the way we manage severity

Question

Change the way we manage severity

gmontard opened this issue 2 years ago · 6 comments

We'd like to simplify the severity level of the rules, and defer any calculation leading to increase the severity level globally (depending on the sensitive data categories). This will allow simplifying the rules, reinforce common standard and later-on more easily allow user's custom severity configuration.

Impact on the Rule structure

The severity node will end-up being a single value, representing the rule default severity (when triggered).

Changing:

severity:
  default: low
  PHI: critical
  PDS: critical
  PD: high
  PII: medium

to:

severity: low

Dynamic severity calculation

Rules can get triggered depending on the triggered options, essentially associated with the direct (trigger: local) or global (trigger: global) presence of sensitive data, and sometimes even if none are present (trigger: presence or trigger: absence).

When a rule trigger is associated with sensitive data, we want to increase its default severity level in relation to the sensitive data categories (PHI, PDS, PD, PII).

Proposed algorithm

We allocate points to each rule severity (using Fibonacci numbers), level:

critical: 8
high: 5
medium: 3
low: 2
warning: 1

We also assign points to each sensitive data categories:

PHI: 3
PDS: 3
PD: 2
PII: 1

And a weight to the trigger type:

local: 2
global: 1
presence: 1
absence: 1

Ultimately, we perform this calculation and assign the closest lower severity score:

Final Severity = Rule Severity + (Sensitive Data Categories * Trigger Weigh)

Example:

Final Severity = Low default severity + (PHI * global trigger)
Final Severity = 2 + (3 * 1) = 5 = High

Final Severity = Medium default severity + (PII * local trigger)
Final Severity = 3 + (1 * 2) = 5 = High

Final Severity = High default severity + (PHI * local trigger)
Final Severity = 5 + (3 * 2) = 11 = Critical

Final Severity = Warning severity + (PDS * global trigger)
Final Severity = 1 + (3 * 1) = 4 = Medium

Final Severity = High severity + (n/a * presence trigger)
Final Severity = 5 + (0 * 1) = 5 = High

gmontard commented 2 years ago

#730

Answer 1 · 2023-03-03T17:37:20.000Z

Discussion item:

I'd be in favor of making the "severity" key optional for rules, and assign by default a "low" severity level. This will allow stopping having to mention it for the "trigger:local" rules, which are always "low" because ultimately severity is always calculated with the sensitive data presence

Answer 2 · 2023-03-06T07:31:59.000Z

To confirm @gmontard, if the final severity is warning (1), do we want to keep the current behaviour and not fail the CI?

e.g.

Final Severity = Warning severity + (n/a * global trigger)
Final Severity = 1 + (0 * 1) = 1 = Warning

Answer 3 · 2023-03-06T07:36:00.000Z

I'd be in favor of making the "severity" key optional for rules, and assign by default a "low" severity level

I'm happy with this. Keeps the rules simpler 👍

Answer 4 · 2023-03-06T09:24:03.000Z

@elsapet Absolutely about the warning, we keep current behavior on how we manage that, no changes.

Answer 5 · 2023-03-06T09:41:10.000Z

PR #730 updated