Change the way we manage severity

Question

Change the way we manage severity

gmontard opened this issue a year ago · comments

We'd like to simplify the severity level of the rules, and defer any calculation leading to increase the severity level globally (depending on the sensitive data categories). This will allow simplifying the rules, reinforce common standard and later-on more easily allow user's custom severity configuration.

Impact on the Rule structure

The severity node will end-up being a single value, representing the rule default severity (when triggered).

Changing:

severity:
  default: low
  PHI: critical
  PDS: critical
  PD: high
  PII: medium

to:

severity: low

Dynamic severity calculation

Rules can get triggered depending on the triggered options, essentially associated with the direct (trigger: local) or global (trigger: global) presence of sensitive data, and sometimes even if none are present (trigger: presence or trigger: absence).

When a rule trigger is associated with sensitive data, we want to increase its default severity level in relation to the sensitive data categories (PHI, PDS, PD, PII).

Proposed algorithm

We allocate points to each rule severity (using Fibonacci numbers), level:

critical: 8
high: 5
medium: 3
low: 2
warning: 1

We also assign points to each sensitive data categories:

PHI: 3
PDS: 3
PD: 2
PII: 1

And a weight to the trigger type:

local: 2
global: 1
presence: 1
absence: 1

Ultimately, we perform this calculation and assign the closest lower severity score:

Final Severity = Rule Severity + (Sensitive Data Categories * Trigger Weigh)

Example:

Final Severity = Low default severity + (PHI * global trigger)
Final Severity = 2 + (3 * 1) = 5 = High

Final Severity = Medium default severity + (PII * local trigger)
Final Severity = 3 + (1 * 2) = 5 = High

Final Severity = High default severity + (PHI * local trigger)
Final Severity = 5 + (3 * 2) = 11 = Critical

Final Severity = Warning severity + (PDS * global trigger)
Final Severity = 1 + (3 * 1) = 4 = Medium

Final Severity = High severity + (n/a * presence trigger)
Final Severity = 5 + (0 * 1) = 5 = High

Guillaume Montard commented a year ago

#730

Guillaume Montard · Answer 1 · Sat Mar 04 2023 01:37:20 GMT+0800 (China Standard Time)

Discussion item:

I'd be in favor of making the "severity" key optional for rules, and assign by default a "low" severity level. This will allow stopping having to mention it for the "trigger:local" rules, which are always "low" because ultimately severity is always calculated with the sensitive data presence

elsapet · Answer 2 · Mon Mar 06 2023 15:31:59 GMT+0800 (China Standard Time)

To confirm @gmontard, if the final severity is warning (1), do we want to keep the current behaviour and not fail the CI?

e.g.

Final Severity = Warning severity + (n/a * global trigger)
Final Severity = 1 + (0 * 1) = 1 = Warning

elsapet · Answer 3 · Mon Mar 06 2023 15:36:00 GMT+0800 (China Standard Time)

I'd be in favor of making the "severity" key optional for rules, and assign by default a "low" severity level

I'm happy with this. Keeps the rules simpler 👍

Guillaume Montard · Answer 4 · Mon Mar 06 2023 17:24:03 GMT+0800 (China Standard Time)

@elsapet Absolutely about the warning, we keep current behavior on how we manage that, no changes.

Guillaume Montard · Answer 5 · Mon Mar 06 2023 17:41:10 GMT+0800 (China Standard Time)

PR #730 updated