SecDevOps practices are used for application development.
Develop and enforce processes and mechanisms to gather and protect essential information supporting security criteria. Leverage the toolchain to collect and analyze data, deploy additional tools when necessary, automate decision-making where possible, and restrict access to sensitive information to authorized personnel only, enhancing security and preventing unauthorized access.
Establish a secure, centralized system for tracking and managing security defect information with strict access controls, such as role-based access control (RBAC), to ensure only authorized personnel can view or modify records. Implement qualitative classification frameworks to prioritize defects based on criticality and impact while preventing duplication and false positives. Incorporate audit trails and cryptographic integrity checks to monitor and secure defect data, ensuring accountability and data reliability. Regularly review access policies and system logs to identify and mitigate unauthorized or suspicious activities, maintaining the confidentiality and integrity of defect information.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-06-01-01 | Implement access controls | Use role-based access control (RBAC) to manage permissions for viewing, editing, and managing defect information. | Preparation | Security team |
| SSS-02-02-06-01-02 | Classify and prioritize defects | Develop a framework to classify defects based on criticality and impact to streamline remediation efforts. | Development | QA teams, Security team |
| SSS-02-02-06-01-03 | Enforce data integrity | Use cryptographic checks and audit trails to protect defect records and monitor any changes. | Deployment | Security team, DevOps team |
| SSS-02-02-06-01-04 | Review access and logs | Continuously monitor user access logs and system activities to detect and respond to unauthorized actions. | Post-deployment | Security team, Development teams |
| SSS-02-02-06-01-05 | Prevent duplication and false positives | Implement mechanisms to validate defect records, reducing errors and ensuring reliable defect data. | Development | Development teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PO.4.2) OWASP SAMM: Software Assurance Maturity Model (I-DM-1-A) |