API risk scoring

Created:
October 7, 2024
Updated:
December 4, 2024

FireTail's API Risk Scoring system evaluates and categorizes APIs based on open findings based. The severity of the findings—critical, high, medium, and low— determine the risk score.

How risk scores are banded

The risk score is divided into bands determined by the severity of the open findings associated with the API:

  • Critical: 80-100
  • High: 60-80
  • Medium: 40-60
  • Low: Below 40

Each severity level influences the score differently, and the number of open findings plays a role in determining the score. A log based scale is used to ensure that findings of higher severity have a larger impact on the overall risk score.

Score breakdown

  • Critical Findings:
    If there is at least one critical finding, the risk score will be set between 80-100.
  • High Findings:
    If no critical findings exist, the system evaluates high findings. Any high findings result in a score between 60 and 80.
  • Medium Findings:
    If neither critical nor high findings are present, the system checks for medium findings, with the score falling between 40 and 60.
  • Low Findings: If only low-severity findings exist, the risk score will be below 40.