SecDevOps practices are used for application development.
Configure tools to create artifacts that demonstrate adherence to secure software development practices. Enable an audit trail using current tools, determine appropriate audit frequency, set policies for managing artifact data, and assign accountability for artifact generation. This helps maintain transparency and accountability, supporting continuous improvement in DevOps workflows.
Establish a centralized process for tracking and managing security defects to enhance accountability and transparency. Begin by defining a common understanding of what constitutes a security defect and identifying the methods to detect them, such as threat assessments, penetration tests, static and dynamic analysis tools, and responsible disclosure programs or bug bounties. Foster a blame-free culture to encourage accurate reporting and proactive mitigation of defects. Maintain a repository to log and track all identified security defects, ensuring it is accessible for relevant stakeholders to gain a comprehensive view of application risks. Define strict access controls to protect defect information from unauthorized use or leakage. Implement a qualitative classification system for defects to prioritize remediation efforts effectively and reduce duplication or false positives. Regularly review and refine the process to maintain its effectiveness and trustworthiness in improving DevOps workflows.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-02-08-01-01 | Define security defect standards | Establish a common definition and classification system for security defects, including severity levels and prioritization criteria. Ensure teams understand these definitions. | Preparation | Security team, Development teams, ,Testing teams, QA teams |
| SSS-02-02-08-01-02 | Set up a centralized defect tracking system | Implement a tool or platform (e.g., JIRA, Azure DevOps) to record and track all security defects for each application. Ensure it supports centralized or application-specific views. | Development | DevOps team, QA teams, Security team |
| SSS-02-02-08-01-03 | Integrate security defect identification sources | Connect(link) defect tracking with bug reports from threat assessments, penetration tests, static/dynamic analysis tools, and bug bounties to ensure all defects are captured effectively. | Development | Security team, Testing teams, Vendor partners |
| SSS-02-02-08-01-04 | Classify and prioritize security defects | Introduce a qualitative classification system for defects (e.g., critical, high, medium, low) and prioritize fixes based on severity and application impact. | Deployment | Security team, Development teams, Testing teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1780) NIST Secure Software Development Framework (PO.3.3) OWASP SAMM: Software Assurance Maturity Model (I-DM-1-A) |