What does the May 2021 Scoring Update include, and when will it take effect?
The update is expected to take effect May 20, 2021, and will include the following changes:
Introduction of a new data scanning engine with a significant expansion of signal collection
“Content Security Policy (CSP) Missing” issue severity changed from High to Medium
“Website Does Not Implement X-XSS-Protection Best Practices” issue severity changed from Low to Informational
Refactoring SSH signal leading to more accurate findings
Updating out-of-date browser versions: March 2021 and earlier
Scoring baselines updated
Several new IoT informational issue types added to Network Security
Introduction of a new data scanning engine
SecurityScorecard will be introducing a new data scanning engine that can scan for higher-quality data for increased accuracy. Users may experience a score impact due to an increase of security issues from our enhanced detection capabilities.
Why is this important? SecurityScorecard will be able to provide a broader image of an organization’s cybersecurity posture. With better data, users can gain insight into more threats that may be exploited. The new data can potentially change scores, so make sure to review them on May 20.
Refactoring SSH signals (Network Security)
SecurityScorecard will refactor the SSH signal to improve data quality.
Why is this important? This will increase the accuracy of the issues we surface, and enable users to focus on the right issues.
"Content Security Policy (CSP) Missing" from High to Medium severity
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. “Missing Content Security Policy (CSP)” will change from High to Medium severity in the Application Security factor. When determining severity of an issue type, we analyze how important it is within the factor itself, consider changing industry standards, consult with subject matter experts, and assess the impact on an organization’s cybersecurity posture within that factor. Because issue type is measuring presence of any CSP policy, regardless of its effectiveness, we are lowering the corresponding score impact. The other two CSP findings on our platform, “CSP Unsafe Directive” and “CSP Contains Broad Directives” will currently remain Informational, and we intend on scoring these findings in future updates.
Why is this important? The severity update can potentially change scores, so make sure to review them on May 20.
"Website Does Not Implement X-XSS-Protection Best Practices" issue from Low to Informational severity
X-XSS Protection is a browser header that predates Content Security Policy (CSP), used to mitigate XSS attacks against web applications. X-XSS-Protection no longer benefits modern browsers, based on measurements showing 98% of browser usage supports applications where stronger protection via CSP is available. Additionally, X-XSS-Protection has been superseded by CSP and is no longer recommended. It has instead been marked as deprecated by OWASP.
Why this is important? Considering the vanishing support for X-XSS headers, “Website Does Not Implement X-XSS-Protection Best Practices” will become an unscored issue type.
Out-of-Date Browser Versions (Endpoint Security)
Web browsers from March 2021 and earlier will be classified as outdated. Please note that the definition of outdated browsers is updated monthly with a threshold of 3 months from the date that a version goes out of date. For example: In November Browser End-of-Service versions were updated as of three months before (September). So then in December we will go back three months from then (October).
Why is this important? Outdated browsers are a security risk for companies. Malicious attackers can
exploit security flaws in outdated browsers. Organizations need to have regular updates to browsers in
order to fix security problems when they are detected and make computers safer from those types
New Issue types added
Network Security IOT Camera
Network Security Industrial Control Device
Network Security Telephony and VoIP
Network Security Remote Access
Network Security Networking Service
Network Security OpenVPN
Network Security PPTP VPN
Network Security Pulse Connect VPN
Network Security SOAP Server
Network Security UPNP Accessible
Network Security Neo4j Database
Network Security Minecraft Server
Network Security CDN Hosting
Network Security Cloud Provider Service
Network Security Oracle Database Server
Network Security DNS Server
Network Security LDAP Server
Network Security LDAP Server allows Anonymous Binding
IP Reputation Mail Server on Unusual Port
Why is this important? We continue to expand SSC’s coverage to the entirety of the threat landscape across IT, cloud and IoT devices. The new data can potentially change scores, so make sure to review them on May 20.
Scoring baseline update
The baselines that companies are scored against will be updated.
Why is this important? These updates enable SecurityScorecard to continuously capture changes to companies, the internet, and the cybersecurity landscape, leading to fair and accurate scores.
If I address these findings, will my score still be affected on May 20?
If the issues in the “New Findings” (available under your overall score within the gear icon) report are already in the platform, you have the ability to remediate them before the May Scoring Update. However, if any issues in the report are brand new to our system and therefore not yet added onto Scorecards, they cannot be remediated in the platform until after the May Scoring Update