Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Service Risk Management

Services are assessed for how vulnerable they are to outside attack. To do so, Skyhigh CASB evaluates parameters such as IP filtering, malicious misuse, and preventive measures taken against cross-site request forgery (CSRF), cross-site scripting (XSS) attacks, and other common security threats.

Service Risk Attributes

The Service Risk score is calculated out of the following categories, attributes, and values defined by Skyhigh CASB. 

Category Attribute Description Possible Value
Development Practices Penetration Testing for Service Does the vendor perform penetration testing regularly to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities? 10 - Clean reputable recent
20 - Routine
30 - Recent
40 - Reputable recent with issue
70 - Not publicly known
80 - None
Authentication IP Filtering Support Does the cloud service provider support IP allow list blocks to restrict access to the enterprise tenant from unauthorized IP address spaces? 10 - Yes
30 - Not publicly known
60 - No
Threat & Vulnerability Management Known Malicious Misuse of Service Has the cloud service provider had a public disclosure of malware hosted on its site or been labeled as a known dropzone for malicious code within the given time frame? 10 - Not publicly known
20 - Greater than 1 year
50 - Less than 1 year
70 - Less than 3 months
80 - Less than 1 month
Security Breach Identified for Service Has the cloud service provider had a public disclosure of breach for its service within the given time frame? 10 - Not publicly known
20 - Greater than 1 year
50 - Less than 1 year
70 - Less than 3 months
80 - Less than 1 month
Security Published CVE Vulnerability

Does the service have a known and published Common Vulnerabilities and Exposures (CVE) vulnerability?

Yes displays the CVE ID number. 

10 - No
30 - Possible
80 - Yes
Security Security Incident Notification Does the service incorporate timely notification of a security incident, malicious events or breach to all customers and stakeholders when such events are identified?

10 - Less than 1 day
30 - 1 day to 1 week
40 - Yes - duration not specified
50 - Not publicly known
80 - No

Web Application Security Application Security Vulnerability Protection Does the cloud service supports Web Application Firewall (WAF) to protect organization internet property from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to the existing infrastructure? 10 - Yes
40 - Not publicly known
70 - No
Web Application Security WAF Detection Mode What are the WAF detection modes being used by the provider? 

10 - Blocking
10 - Patching
20 - Monitoring
80 - Not publicly known

 

HTTP Header Security  Content Security Policy Content Security Policy (CSP) is a computer security standard that provides an added layer of protection against Cross-Site Scripting (XSS), clickjacking, and other code injection attacks that rely on executing malicious content in the context of a trusted web page.

10 - Strong
50 - Average
70 - Weak
80 - No

HTTP Header Security  Strict Transport Policy This attribute informs that the website should be always loaded with HTTPS only. 10 - Sub-Domains/Preload
20 - Yes
80 - No
HTTP Header Security  X-Content Type Options This response header for Service prevents "mime" based attacks. 10 - Yes
80 - No
HTTP Header Security  X-XSS-Protection This response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. 10 - Yes (Block Mode /Report User)
30 - Yes
80 - No
HTTP Header Security  X-Frame Options This response header provides clickjacking protection. 10 - Deny
30 - Same Origin
80 - No
HTTP Header Security  X-Permitted-Cross-Domain-Policies A cross-domain policy file is an XML document that grants a web client, such as Adobe Flash Player or Adobe Acrobat (though not necessarily limited to these), permission to handle data across domains. 10 - None
50 - By Type
30 - Primary Only
80 - No
70 - All
 
Encryption Server Wildcard Certificate Does the service support wildcard certificates? 

40 - Not publicly known
70 - No
10 - Yes

Encryption Server Certificate Validation Method What is the validation method used for an SSL certificate?  60 - Not publicly known
30 - Extended Validation
40 - Organization Validation
50 - Domain Validation
Encryption  OCSP Validation Result What is the Revocation status of the service certificate?  40 - Not publicly known
70 - Revoked
10 - Good
Encryption SSL Session Reuse Does the service support SSL session reuse?  40 -Not publicly known
70 - No
10 - Yes
Encryption Negotiated Ciphers Does the service negotiate with any Insecure/Weak Ciphers during communication?  40 -Not publicly known
70 - No
10 - Yes

Deprecated Attributes

The attribute Source of Leak for Darknet has been deprecated by the third-party service that created it. Skyhigh CASB has distributed the corresponding weight of the former attribute among the following attributes:

  • Known Malicious Misuse of Service
  • Breach Identified for Service
  • Application Security Vulnerability Protection
  • Was this article helpful?