Rating Transparency

Rating transparency in cybersecurity refers to the extent to which the factors, methodologies, and data that contribute to a security rating are clearly and openly communicated to the rating's users. It's about providing visibility into how a security rating is derived rather than just presenting the final score.

Here's a more detailed explanation:

• Clarity of Factors: Rating transparency involves explaining which security elements are considered.

• Methodology Disclosure: It outlines the process and algorithms used to weigh different factors and calculate the final rating.

• Data Source Visibility: Transparency means revealing the data sources used for the assessment so users can understand its origin and reliability.

• Granular Insights: Providing detailed findings and evidence that support the rating, allowing users to verify and understand the assessment.

• Justification of Scores: Clearly explain why a system or organization received a particular score, linking it to specific security findings.

ThreatNG is designed to provide rating transparency by detailing the factors and data contributing to its security assessments.

External Assessment: Transparent Rating Factors

• ThreatNG's external assessment modules clearly outline the factors contributing to each security rating.

• For example, the description of the "Web Application Hijack Susceptibility" assessment explains that it uses "External attack surface and digital risk intelligence, including Domain Intelligence" to analyze web application components.

• Similarly, the "Subdomain Takeover Susceptibility" assessment description specifies that it incorporates "Domain Intelligence," "subdomains," "DNS records," and "SSL certificate statuses".

• This level of detail helps users understand what is being assessed.

Granular Insights and Evidence

• ThreatNG provides granular insights and evidence that support its ratings.

• The investigation modules, such as the "Domain Intelligence" and "Sensitive Code Exposure" modules, offer detailed data and analysis to support the overall security assessment.

• For instance, the "Sensitive Code Exposure" module discovers and highlights "Access Credentials," "Security Credentials," and "Personal Data" within code repositories, providing specific evidence for code-related risk ratings.

Reporting: Communicating Rating Details

• ThreatNG's reporting capabilities present the assessment findings in a structured way, linking them to the overall security ratings.

• This helps users understand why a particular rating was assigned.

Positive Security Indicators: Transparency in Strengths

• ThreatNG's "Positive Security Indicators" feature adds another layer of transparency by explicitly highlighting security strengths and their contribution to the overall security posture.

• It explains why controls like WAFs and MFA are considered a positive factor, further enhancing transparency.

Continuous Monitoring: Transparency Over Time

• ThreatNG's continuous monitoring provides transparency into how security ratings change over time.

• This allows users to see the impact of their security efforts on their ratings.

Working with Complementary Solutions

• While not explicitly detailed, ThreatNG's transparent rating data can be shared with other security tools to provide a more comprehensive and transparent view of security across different platforms.

ThreatNG promotes rating transparency by clearly outlining assessment factors, providing granular evidence, and communicating security strengths. This enables users to understand and trust the provided security evaluations.