[Feature Request] KPIs section

[ArielGanem]

Hello,
I would like to propose the addition of several Key Performance Indicators (KPIs) to the SysReptor tool. These KPIs would provide valuable insights into penetration testing activities and help users track their performance over time. Below are the KPIs I believe would be beneficial:

• Ranking of Vulnerabilities Encountered by Title: Display the number of occurrences for each vulnerability type (e.g., 10 CORS, 8 XSS, 5 SQLI, etc.).
• Total Vulnerabilities Detected: Show the total number of vulnerabilities detected per month and per year, along with a breakdown by category (Critical, High, Medium, Low, Informational).
• CVSS Score Ranking: Provide a ranking of vulnerabilities based on their CVSS scores (e.g., 15 Low, 10 Medium, 5 High, etc.).
• Number of Reports Generated: Display the total number of reports generated per month and per year.
• Vulnerability Trends Over Time: Visualize the evolution of the number of vulnerabilities detected over time.
• Comparative Analysis: Allow comparison of results across different periods (quarterly, annually).
• Export/Download Capability: Enable users to export or download these KPIs for further analysis and reporting.

Additionally, if there are other KPIs that the tool could provide which I haven't mentioned.
Implementing these features would be beneficial for all users of SysReptor, particularly in professional settings, as it would enhance their ability to analyze performance and improve overall penetration testing efforts.

Thank you for considering this request!
Best regards

[MWedl]

Hi,
thanks for the suggestion. I think KPIs would best fit into a plugin that needs to be explicitely enable when needed/desired.

There are some technical challenges that need to be considered when implementing:

• database encryption: Collecting KPIs and statistics from many projects is inefficient, because every finding of every project need to be decrypted to retrieve data (e.g. CVSS, title, etc.). Depending on the number of projects and findings, the KPI request might take some seconds to finish.
• handling deleted/archived projects: The total number of projects does not only increase, but might also decrease because old projects might get archived or deleted. Once a project is archived (and encrypted with 4-eye principle), SysReptor can no longer access its contents. When an archived project is restored, a new project gets created, which is not actually new and might also interfere with KPI calculations.
• time series data: In order to visualize trends over time, periodic snapshots of KPIs need to saved to the database (e.g. daily).
• global vs. per-user KPIs: Depends on the use-case what you want to use KPIs for. Global KPIs might leak finding information when they are accessible by unprivileged users that do not have access to all projects included in KPI calculations.