Accuracy SLA | Fluid Attacks Help

Accuracy SLA

Description

At least 90% of a client's software's risk exposure will be discovered.

Criteria

The following conditions must be met for this service-level agreement (SLA) indicator to apply:

  • Your group must have the Advanced plan.
  • Both the source code and its related environment must be accessible.
  • The environment must be paired with the code, i.e., the environment must correspond to the provided branch.
  • The environment must be stable, with no unsolved events (i.e., situations preventing testing) for at least 80% of business days.
  • All data required for application flows under continuous testing (e.g., credentials, input fields) must be complete and usable.
  • Remote access without human intervention must be enabled (e.g., no CAPTCHA, OTP).
  • A 100% Health Check must have been performed on a group potentially affected by a false negative.
  • An average of 400 weekly changes per author must have been made from the start of service to the potential false negative report.

Details

In addition to the general measurement aspectsthe following is taken into account to measure this SLA indicator:

  • The risk exposure caused by vulnerabilities is calculated using the formula CVSSF = 4^(CVSS-4).
  • Accuracy is calculated based on false positives, false negatives, and the F-Score model.
  • In groups subscribed to black-box testing, vulnerabilities detectable only via source code review are not considered false negatives.

Indicator calculation

Accuracy is calculated as follows:

  • Compute the CVSSF for each individual vulnerability using the formula CVSSF = 4^(CVSS-4).

  • Calculate the total CVSSF for True Positives, False Positives and False Negatives.

  • Compute the following intermediate indicators:

    • Precision: True Positives / (True Positives + False Positives)

    • Recall: True Positives / (True Positives + False Negatives)

  • Compute the Accuracy SLA with the formula 2 x (Precision x Recall) / (Precision + Recall)

Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.