Findings

Findings are the potential vulnerabilities and business logic flaws that the Ghost Exorcist engine has identified in your codebase.

​

Severity

Findings produced by the Ghost Exorcist engine are classified as info, low, medium, or high based on the severity of the finding. You are probably familiar with the severity of a finding from other tools. However, with Ghost, you won’t find many of the low severity findings that you are used to seeing.

​

Exploit feasibility

The exploit feasibility of a finding is a measure of how easy it is to exploit the finding. For example, a finding that is readily exploitable with no additional circumstances occurring is considered to be easy. A finding that requires a potential attacker to perform additional actions or gain additional privileges would have a higher feasibility rating.

​

Remediation effort

The remediation effort of a finding is a measure of how much effort it would take to remediate the finding. For example, a finding that requires a simple one-line change to the code is considered to be easy. A finding that requires a more complex change to the code or a more involved process is considered to have a higher remediation effort rating.

​

Taking action

Combining the finding severity, exploit feasibility, and remediation effort ratings can give you a powerful prioritization lense.

For example, if you have a finding that is high severity and easy to remediate, you might consider that an Easy Win and prioritize it accordingly.

Similarly, if you have a finding that is high severity and easy to exploit, you might consider that an Risky Target and prioritize to be fixed urgently.