How Research Supports the 2025 Bitsight Rating Algorithm Update

Updating Bitsight's ratings algorithm for 2025

In keeping with Bitsight's ongoing commitment to making its ratings more meaningful and more representative of an ever-changing Cybersecurity landscape, the Ratings Algorithm Update for 2025 is scheduled to go into preview on April 8, 2025.

The highlight of RAU 2025 is the incorporation of the Web Application Security(WAS) risk vector into the Bitsight Security Ratings¹, and the associated deprecation/removal of Web Application Headers(WAH) risk vector. Further enhancements have also been made to other risk vector analytics to improve their quality and make them better reflect the cybersecurity postures of the entities evaluated. A companion to this technical documentation can be found here.

In this post, we’d like to share, from a data science perspective, how our research supports the 2025 RAU. 

A better way to assess the security of web applications

Bitsight’s next generation Web Application Security (WAS) risk vector was introduced in 2023, offering a truly comprehensive, relevant, and modern suite of tests to evaluate the health of web applications. This was built upon a foundation laid by the Web Application Headers (WAH) risk vector, WAS keeps the crucial assessments and areas of evaluation from WAH and also includes new assessments covering a wide range of security concerns directly linked to the OWASP Top 10.

As a part of Ratings Algorithm Update for 2025 (RAU 2025), the Web Application Security (WAS) risk vector will be allocated a weight of 5% in the Bitsight Security Ratings, while the impact of Web Application Headers (WAH) will be turned off. With WAH accounting for 5% of the security ratings before RAU 2025, this is a direct replacement of impact. Weights allocated to other risk vectors remain unchanged. 

Consequently, Bitsight's assessment of the security of web applications will:

• Better represent the security postures of the entities evaluated,
• Offer more modern, relevant security assessments, 
• Provide clear links to standards like OWASP, enhance an integrated user experience, and validate industry-wide importance of measurements reported, so that we can simplify the path to security posture improvements. 

Web Application Security currently has 21 assessments spread across 5 categories. Table 1 elaborates further upon these categories and assessments². Furthermore, the WAS risk vector grade³ is assigned based on a premise that the severest assessment failures will need to be addressed first to affect a rating improvement. For example, when an entity is assessed as "WARN" for Authentication on Insecure Channel and as "FAIR" for Content Security Policy (CSP) Violations, the critical path to a WAS grade improvement is via addressing the "WARN" (i.e. for Authentication on Insecure Channel) first. This scheme enables simple and effective prioritization of any remediation efforts necessary for WAS.

“How does Web Application Headers relate to Web Application Security?”

Table 2 details how components of the deprecated WAH risk vector will be transformed under the new WAS framework. WAS covers a larger range of security issues and provides a better linkage between finding failures and severity. WAS is also better-aligned with established security checklists, such as OWASP Top 10.

"How will my risk vector grade change?"

While risk vector grade changes for individual entities due to a transition from WAH to WAS will depend on a variety of factors, the diagram in Figure 1 presents macroscopic details of such changes.⁴ 

A higher percentage of A and F grades are observed for WAS than for WAH, while there is corresponding shrinkage in the proportions of B, C, and D. A key improvement with WAS is that the scoring impact of assessment failures is more well-controlled, such that low-severity findings have a significantly smaller impact on the score than high-severity findings.

Consistent correlation on data breach incidents and ransomware

Figure 2A and 2B present Rank Biserial Correlation (RBC) values for undesirable security incidents across various standardized datasets. The measured RBC is negative because lower ratings indicate a higher likelihood of a security incident. The plot below shows the absolute value of the RBC.

The overlapping error bars show that the correlation is roughly unchanged.. 

Making the ratings more transparent, reliable, and stable

In addition to the transition from WAH to WAS, the following secondary updates will be take effect as part of RAU 2025:

• When an organization has no recent findings for a risk vector, the extended impact time for expired findings will be reduced from 400 to 340 days. In cases where recent findings for an entity are missing or insufficient, Bitsight persists available expired findings to compute an extrapolated continuation of the historical rating. Findings in the Bitsight Portal are visible for 400 days after the most recent observation. For the risk vectors impacted for this change, a finding impacts the rating for up to 60 days after the most recent observation. Changing the extension period from 400 days to 340 days improves visibility by ensuring that a finding with an extended lifetime will be visible to customers. 
• The uncertainty impact for entities with no negative findings will be applied more transparently. For certain risk vectors, Bitsight applies an uncertainty adjustment to the risk vector score for entities with no negative findings. This adjustment does not change the risk vector grade, but may impact the overall security rating. The adjustment is a small penalty which gets smaller as the number of findings for the risk vector increases. Prior to RAU 2025, this adjustment was estimated as part of the risk vector scoring process, and is based on the relative performance of all other entities. Starting with RAU 2025, this adjustment will be determined in a well-defined way based on the findings count for the risk vector attributed solely to the entity rated. The following risk vectors are in scope:
  • Open Ports,
  • TLS/SSL Configurations, 
  • TLS/SSL Certificates, and
  • Server Software
• Rating drops due to statistical fluctuations will be withheld in the absence of negative findings. Since Bitsight ratings are relative, fluctuations are possible due to statistical variations within the ensemble of entities rated. Starting in RAU 2025, rating drops due to such fluctuations will be prevented in the absence of negative findings, allowing for greater transparency and tractability.

Conclusion 

Enhancements to the evaluation of the security of web applications highlight Bitsight's 2025 Ratings Algorithm Update. Further improvements have also been made to the transparency, reliability, and stability of the ratings. 

With the Web Application Headers risk vector replaced by the significantly improved Web Application Security, the ratings remain well-correlated with negative security outcomes.

¹Sometimes referred to as the headline ratings. 
²These are current as of the date of publication, and subject to potential future updates.
³This will be a letter grade: A, B, C, D, or F, as is typical for a graded risk vector.
⁴Disclaimer: Although the WAS risk vector may be considered a more advanced version of WAH, their methodologies are distinct. WAS should not be thought of as a straightforward upgrade of WAH, but as an independent risk vector. As such, and as seen from the Sankey Diagram, an invariance of the risk vector grade is not guaranteed for a replacement of WAH with WAS in the security ratings.