Advisory Risk Classification

Definition ¶

Vulnerabilities with an Advisory risk factor are not objective risks from the industry but practical risks from SkySiege’s own consulting experience. These do not always focus on security risks but auxiliary concerns that can affect not only your security posture but the response, maintenance and visibility of the solution. We find that these risks can contribute considerable obstacles during the regular business and technical operations of an organisation.

Advisory Risks can be summarised as:

This is not a breaking issue, but SkySiege advises better patterns

Characteristics ¶

Advisory Risk Vulnerabilities usually have the following characteristics:

• Can be targeted against by experienced and organised bodies as an opinionated attack vector
• Has a longer term time horizon that is considered on each issue. Your report will provide more details
• There may not be an attack surface - details will be provided as part of any SkySiege report
• Are often found within the industry and not considered unusual

SkySiege Test Examples ¶

• SSH Keys Discovered in Account - we advise stronger and more secure shell connection tooling than SSH and provide patterns to replace this approach
• Elastic Beanstalk Usage - we provide patterns for better application management and deployment approaches rendering Elastic Beanstalk obsolete
• Untagged Resources - we advise resource tagging and provide code and patterns for implementing this alongside benefits for doing so

Response ¶

Advisory risk vulnerabilities provide guidance from decades of consulting experience that can be adapted and adopted as desired.

Treat Critical risk vulnerabilities as consulted information that can be picked up as desired at whatever priority.

Advisory risks are not likely to come up on an audit, but you may find nods of agreement and support from your product and engineering teams.