Vulnerability Summary Table

The table in this section shows the overall situation of all vulnerabilities. It is updated as new scans are completed, files are imported, or vulnerabilities are marked as false positives or won't fix.

The time filter on the table works as follows;

For new, recurrent, false-positive, and won't fix vulnerabilities, the filter checks the number of vulnerabilities with a first seen date between now and the date selected.

For closed vulnerabilities, the filter checks the number of vulnerabilities with a last seen date between now and the date selected.

The explanations of the fields in the table are as follows ;

New: Vulnerabilities that have been discovered for the first time in a scan. Vulnerabilities closed and rediscovered are not classified as new but recurrent.
Recurrent: Vulnerabilities discovered at least in two or more consecutive scans. Vulnerabilities that have been closed and then rediscovered are also classified as recurrent.
Closed: Vulnerabilities that have been discovered in a scan and disappeared in the subsequent scans. If an issue tracker is used, even if a vulnerability is marked as closed on the issue tracker, Kondukto treats it as an existing vulnerability until it disappears in a subsequent scan.
Won't Fix: Vulnerabilities that are not false positives but will not be fixed by the organization can be marked as Won't Fix on Kondukto. These vulnerabilities are instantly excluded from all charts and metrics.
False Positive: Vulnerabilities discovered in a scan but marked as "false positive" by the user on Kondukto or the scanner. These vulnerabilities are instantly excluded from all charts and metrics.

Score Snapshot:

This graph can be viewed by vulnerability or risk score.

This graph shows the risk/vulnerability score (Y-axis) and the number of vulnerabilities (X-axis) of each project/team based on the risk score calculated by the number of new and recurrent vulnerabilities under each scanner type of each project.

Green, yellow, and red circles indicate projects or teams depending on the tab selection within the graph.

The projects/teams performing better than average are displayed as green circles, those performing slightly worse as yellow, and those performing dramatically worse as red.

The blue circle indicates the intersection point of the average risk/vulnerability score and the average number of findings.

Vulnerability Density Graph:

This graph shows the frequency of the top 25 vulnerabilities discovered regardless of their status (e.g., new, recurrent, closed).

Severity categories can filter vulnerabilities by clicking on the severity categories left.

Vulnerabilities can also be filtered by their first seen dates for new and recurrent vulnerabilities and by their last seen dates for closed vulnerabilities using the time selector in the upper right corner.

Viewing the chart based on CWE ID, endpoints, or file/paths is possible by selecting from the dropdown at the top right corner.

The bigger the circle of a vulnerability is, the more times it has been discovered by scanners. The numbers on the other ones indicate the number of vulnerabilities falling under the same CWE ID, the endpoint, or file/path.

In the consolidated tab, different colors indicate vulnerabilities discovered by different scanner types and their combinations, as shown in the legend in the lower-left corner.

Upon hovering over the vulnerability, details of the vulnerability are shown, and clicking on the vulnerability redirects the user to the vulnerabilities page, where vulnerabilities with that specific CWE ID, the endpoint, or file/path are filtered.

WOE By Severity:

This graph displays the distribution of new and recurrent vulnerabilities based on their aging and severity categories.

In the tab at the top right corner, it is possible to switch to the WOE Top Ten tab to see ten vulnerabilities with the highest Window of Exposure.

Severity Trend:

In the Consolidated tab, this graph shows the evolution of the total number of findings that are new and recurrent under each severity class over time, regardless of the scanner type.

In other tabs, this graph shows the evolution of the number of findings that are new and recurrent under each severity class over time, that have been discovered by the scanners from the selected scanner type.

Risk Score Trend:

This graph displays the evolution of the average risk score of all projects over time.

Industry Standards:

This graph displays the distribution of all vulnerabilities based on OWASP Top 10 and PCI requirement categories.

In the Consolidated tab, results are shown by adding up all vulnerabilities discovered by all scanners regardless of their scanner type. In other tabs, results are displayed by adding up all vulnerabilities discovered by the scanners from the selected scanner type.

Vulnerabilities can also be filtered by their first seen dates for new and recurrent vulnerabilities and by their last seen dates for closed vulnerabilities using the time selector located in the upper right corner.

Severity Snapshot By Team Graph:

In the Consolidated tab, this graph shows the total number of new and recurrent vulnerabilities in projects that selected teams are assigned.

In other tabs, this graph shows the total number of new and recurrent vulnerabilities found by any scanner from the selected scanner type.

Security KPI

It displays the following metrics;

Time to first response: Shows how long it takes the security team to triage a vulnerability on average. (Issue Opening Date or (FP or Won’t Fix Selection Date) – First Seen Date)
Time to first action: Shows how long it takes the development team to start working on a vulnerability on average. (Work in Progress Date – Issue Opening Date)
Time to resolution: Shows how long the development team spends on a vulnerability on average. (Issue Closing Date – Issue Opening Date)
Time to remediate: On average, it shows how long it takes to close vulnerabilities. (Last Seen Date – First Seen Date)
Go-live delay: Shows how long it takes vulnerabilities to disappear after the issues are closed on issue trackers on average. (Last Seen Date - Issue Closing Date)

📘

Only vulnerabilities having at least one of the dates used in each metric (time to resolution, time to response etc.) within the last 90 days are taken into account on the Security KPI chart.