Application scoring guide

The application score helps you gauge the general performance of each application.

Scores are based on how much of the application has been exercised, as well as the amount and severity of vulnerabilities found for that application.

Numeric scores map to letter grades that are shown in Contrast:

To calculate the application score, find the average of the application's library score and the custom code score.

To calculate the custom code score, start with 100 points and subtract penalty points for the number of vulnerabilities found in your application times a penalty weight for their severity, shown here:

Vulnerabilities are weighted differently depending on how likely they are to be exploited and how serious the effects would be.

For example, a SQL injection is considered Critical because automated tools exist to exploit them without expertise. An attacker who doesn't know anything about your application or schema can exfiltrate your entire database contents.

On the other hand, using a hashing algorithm like SHA-1 is considered Low because it has been known to exhibit serious weaknesses. Also it requires the resources of a very skilled attacker with extensive backing.

100 - (20 X 0) - (10 X 1) - (5 X 2) - (1 X 1)= 79

85 + 79 = 164
164/2 = 82

To improve your score: