Creating False Positive and Risk Accepted Workflows in Kenna

Creating False Positive and Risk Accepted Workflows in the Kenna Security Platform

Within the Kenna.VM platform vulnerabilities are given a status: Open, Closed, Risk Accepted, or False Positive.

*Note: In the screenshot above, the vulnerability’s current status is “Open” which is why “Open” is not an available status.

If your organization does not currently track False Positives or Risk Accepted vulnerabilities, you can create a workflow within the platform. For this workflow, we will leverage several custom fields.

False Positive Workflow:

The classic recommendation for creating a False Positive workflow is to create 3 different custom fields. One each for:

1. False Positive Approver: The manager or security team member that approved the False Positive status

2. False Positive Date: the date the vulnerability was designated as a False Positive

3. False Positive Notes/Justification/Link: This field can be used to make any notes regarding the False Positive, explain the status, or link to an additional tool if another tool (Sharepoint, Jira, etc.) is used as a repository for storing this data long term.

Creating these three fields helps the organization with tracking and compliance.

Risk Acceptance Workflow:

Similar to creating a False Positive workflow, the Kenna recommendation is to again create 3 different custom fields. One each for:

1. Risk Accepted Approver: The manager or security team member that approved the False Positive status

2. Risk Accepted Date: the date the vulnerability was designated as a False Positive

3. Risk Accepted Notes/Justification/Link: This field can be used to make any notes regarding the Risk Acceptance, explain the status, or link to an additional tool if another tool (Sharepoint, Jira, etc.) is used as a repository for storing this data long term.

Again, establishing these workflows will help the organization with tracking, and any future audits that may touch upon these vulnerabilities. Additionally, once you’ve Risk Accepted vulnerabilities they will be removed from the group Risk Meter score. If you would like to see the Risk Meter score had you not Risk Accepted that vulnerability, you can view the TrueRisk facet on the reporting page for that Risk Meter. Learn more about True Risk here.

To learn how to create a custom field you can click here.