In Security Assessment, you can generate Comparison Reports, which show you the differences between two Security Assessments.
This article has the following topics:
About Comparison Reports
A Comparison Report consists of a summary table and a details table. The Summary table helps you to identify where the risk level changes are occurring on your target database and whether the risk levels are increasing, decreasing, or staying the same. The details table describes the changes on the target database.
In the Summary table, the risk levels are categorized as High Risk, Medium Risk, Low Risk, Advisory, and Evaluate. The categories in the first column represent types of findings. They are User Accounts, Privileges and Roles, Authorization Control, Fine-Grained Access Control, Auditing, Encryption, and Database Configuration. You can view the number of new risks added and the number of risks remediated (removed). The upward-facing arrow represents new risks. The downward-facing arrow represents remediated risks. The change value is the total count of modified risks, new risks, and remediated risks on the target database for each category/risk level.
In the details table, you can view the risk level of each change, the findings category to which the change belongs, and a description of the change. The Comparison column is important because it provides explanations of what is changed, added, or removed from the target database since the baseline report was generated. The column also tells you if the change is a new risk or a remediated risk.
Interpreting Comparison Reports
The following examples are intended to help you interpret the information in a Comparison Report.
Example 4-1 New risk in a target database
Suppose the baseline report does not contain a high risk finding in the Database Configuration category. The current assessment found one high risk finding. Therefore, the count for new risks is one. The count for remediated risks is zero. The change count is one.
Example 4-2 Modified risk in a target database
Suppose in the baseline report, the high risk level for the User Accounts category shows that three users have unlocked user accounts with the default password. The number of new risks is equal to one. The current assessment found two more users in the same situation. Because this is not a new risk, just a change to an existing risk, the modified risk count is equal to one and the number of new risks is zero. There are zero remediated risks so the change count is one.
Example 4-3 Remediated risks and new risks in a target database
Suppose the baseline report contains ten medium risk findings in the User Accounts category. In the current assessment, three of those risks are remediated. But, three new unique risks are found for the same category/risk level. In this case, the Summary table shows a count of three remediated risks and three new risks. There are zero modified risks so the change count is six. Each new risk is a separate line item in the details table below the Summary table.