Skip to main content

Application scoring guide

The application score helps you gauge the general performance of each application.

Scores are based on how much of the application has been exercised, as well as the amount and severity of vulnerabilities found for that application.

Numeric scores map to letter grades that are shown in Contrast:

  • A: 90-100

  • B: 80-89

  • C: 70-79

  • D: 60-69

  • F: 35-59

To calculate the application score, find the average of the application's library score and the custom code score.

To calculate the custom code score, start with 100 points and subtract penalty points for the number of vulnerabilities found in your application times a penalty weight for their severity, shown here:

  • Critical: Multiply the number of vulnerabilities by 20

  • High: Multiply the number of vulnerabilities by 10

  • Medium: Multiply the number of vulnerabilities by 5

  • Low: Multiply the number of vulnerabilities by 1

Vulnerabilities are weighted differently depending on how likely they are to be exploited and how serious the effects would be.

For example, a SQL injection is considered Critical because automated tools exist to exploit them without expertise. An attacker who doesn't know anything about your application or schema can exfiltrate your entire database contents.

On the other hand, using a hashing algorithm like SHA-1 is considered Low because it has been known to exhibit serious weaknesses. Also it requires the resources of a very skilled attacker with extensive backing.


For example, to calculate your application score:

First determine your custom code score. If your application had 0 Critical, 1 High, 2 Medium and 1 Low vulnerability, your custom code score would be:

100 - (20 X 0) - (10 X 1) - (5 X 2) - (1 X 1)= 79

If you are running Contrast on an application with a library score of 85 and a custom code score of 79, your application score would be 82 which would be a B.

85 + 79 = 164
164/2 = 82

To improve your score:

  • Enable Protect rules and CVE shields to remove protected vulnerabilities from the score calculation.

  • Remediate Critical and High vulnerabilities in your custom code.

  • Address the vulnerable libraries.

  • Update High risk libraries.