Applications are comprehensively tested for vulnerabilities, using static application security testing and dynamic application security testing, prior to their initial release and any subsequent releases.
Continuously gather information on potential vulnerabilities in both the software and any third-party components it relies on. Monitor public vulnerability databases, leverage threat intelligence sources, and use tools that automatically review software composition and provenance data to stay informed about emerging threats. This proactive monitoring ensures that credible reports are promptly investigated, reducing the risk of known vulnerabilities in the software.
Implement automated tools to scan open-source software (OSS) dependencies for known vulnerabilities, leveraging public vulnerability databases like the National Vulnerability Database (NVD) and tools such as OWASP Dependency-Check or Snyk. Maintain the ability to update OSS components promptly to mitigate identified risks. Ensure the monitoring process integrates with the CI/CD pipeline to detect vulnerabilities early in the development lifecycle. Regularly review vulnerability reports and prioritize remediation based on severity and impact to reduce exposure to emerging threats. Employ software composition analysis (SCA) tools to track component provenance and ensure only secure, updated versions of OSS are used. This approach minimizes risks associated with third-party dependencies while enhancing overall software security.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-10-01-01-01 | Integrate automated vulnerability scanners | Use Software Composition Analysis (SCA) tools to scan open-source software (OSS) dependencies for known vulnerabilities during the build and deployment phases. | Development | DevOps team, Security team |
| SSS-02-10-01-01-02 | Generate and review vulnerability reports | Review a report highlighting a high-severity vulnerability in a third-party library used in the backend API. | Development | Security team, Development leads |
| SSS-02-10-01-01-03 | Plan and execute updates for vulnerable OSS | Develop a plan to update OSS dependencies to mitigate identified vulnerabilities while ensuring compatibility with existing code and functionality. | Deployment | Development teams, QA team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0402) NIST Secure Software Development Framework (RV.1.1) S2C2F: Secure Supply Chain Consumption Framework (SCA-1) |
Develop and maintain management dashboards and reports to monitor compliance with patching processes and service-level agreements (SLAs) across all software components. Ensure that dependency management and application packaging systems are configured to support the rapid application of component-level patches, enabling updates to meet SLA requirements promptly. Treat any missed or delayed updates as critical security defects, subject to triage and resolution in line with established defect management protocols. Go beyond routine vendor notifications by actively monitoring external threat intelligence sources to stay informed about vulnerabilities, including zero-day threats. Address vulnerabilities as part of a comprehensive risk management strategy, ensuring that all affected applications and components are evaluated and remediated to mitigate exposure.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-10-01-02-01 | Implement patch management dashboards | Develop dashboards and reports to track compliance with patching SLAs across the application portfolio, ensuring visibility for stakeholders. | Post-deployment | IT operations, Security team |
| SSS-02-10-01-02-02 | Enable component-level patch deployment | Ensure application dependency management and packaging processes can support rapid deployment of component-level patches at any time. | Deployment | DevOps team, Development teams |
| SSS-02-10-01-02-03 | Treat missed updates as defects | Log missed updates as security-related defects in the defect management system, and prioritize them for triage and resolution based on risk and SLA impact. | Deployment | Security team, Development leads |
| SSS-02-10-01-02-04 | Monitor threat intelligence sources | Continuously monitor external threat intelligence for zero-day vulnerabilities and associated patches, integrating findings into risk management processes. | Development | Security team, IT operations |
| SSS-02-10-01-02-05 | Handle zero-day vulnerabilities as risks | Treat zero-day vulnerabilities as risk management issues, applying temporary mitigations or compensating controls while awaiting vendor patches. | Deployment | Security team, Risk management team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0402) NIST Secure Software Development Framework (RV.1.1) OWASP SAMM: Software Assurance Maturity Model (O-EM-3-B) |
Implement regular code analysis and testing to detect vulnerabilities early in the development process. Configure the toolchain to perform automated static application security testing (SAST) and review software code to identify potential security weaknesses before they reach production. Early detection of vulnerabilities through automated analysis minimizes resources needed for remediation and enhances overall security.
Optimize the effectiveness of automated security testing tools by tailoring them to specific technology stacks and applications. Focus on minimizing false positives (incorrectly identified vulnerabilities) and false negatives (missed actual vulnerabilities) to improve accuracy and reduce unnecessary developer workload. Start by configuring tools to ignore technologies and frameworks not used within the project and target specific software versions. This approach increases execution speed and reduces noise from irrelevant results. Collaborate with security tool champions or shared security teams to pilot these tools, identify common false positives, and fine-tune tool configurations to address project-specific needs. Leverage tool customization options to reflect application-specific coding styles and organizational standards. For instance, define rules to identify potentially dangerous inputs and validate them through designated sanitization methods. Emphasize gradual adoption, ensuring reliable detection of a subset of critical security issues first, and then expanding coverage incrementally as the tool's performance is refined. Strategically, machine learning techniques can further enhance tool accuracy by filtering out likely false positives. Once tools are sufficiently tuned, expand their deployment to additional development teams while maintaining continuous feedback loops to measure their effectiveness and impact on security outcomes.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-10-02-01-01 | Customize security testing tools | Configure a SAST tool like SonarQube to focus on Java frameworks like Spring Boot and ignore unused PHP rules. | Development | Security team, DevOps team, Security champions |
| SSS-02-10-02-01-02 | Pilot tools with select development teams | Work with one development team to refine OWASP ZAP configurations for identifying XSS issues in a React application. | Development | Security team, Development teams |
| SSS-02-10-02-01-03 | Develop application-specific test rules | Create a custom SAST rule to detect unsafe use of an internal authentication library. | Development | Security champions, Development leads |
| SSS-02-10-02-01-04 | Incrementally extend test coverage | Focus initial tests on SQL injection and XSS, then add rules for identifying insecure object deserialization. | Deployment | Security team, Development teams |
| SSS-02-10-02-01-05 | Monitor tool performance and efficacy | Use dashboards to monitor false positive rates and gather feedback from developers about tool usability and accuracy. | Deployment | Security team, Development managers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0402) NIST Secure Software Development Framework (RV.1.2) OWASP SAMM: Software Assurance Maturity Model (V-ST-2-A) |
Evaluate whether executable code testing should be performed to uncover vulnerabilities that might not have been identified through prior reviews, analyses, or automated testing. Follow organizational guidelines to select appropriate testing types, considering the software’s current development stage and whether the code is in-house or from third parties. This approach ensures that potential security gaps are addressed comprehensively.
Define a systematic penetration testing process to assess security across various development phases. Use project-specific security test cases to guide manual penetration testing, focusing on both static and dynamic vulnerabilities. Prioritize testing in the pre-release phase, and for systems that require live testing, adopt controlled techniques like blue-green deployments or A/B testing to ensure security without disrupting production environments. Design test cases to cover application-specific scenarios, such as validating business logic, and broader vulnerabilities associated with design and implementation flaws. Empower quality assurance teams and development staff with specialized training to conduct these tests effectively. Monitor and support initial test executions with guidance from a central security team to foster best practices. Encourage external evaluations through bug bounty programs to complement internal testing, leveraging the expertise of external security researchers. This approach broadens talent access and strengthens overall testing capabilities. Before release, review penetration testing outcomes with stakeholders to address identified risks and create a timeline for resolving issues. Disseminate findings across development teams to improve security awareness and practices organization-wide.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-10-03-01-01 | Develop penetration testing cases | Include test cases for business logic flaws like bypassing payment flows and OWASP Top 10 vulnerabilities such as SQL injection. | Development | Security team, Quality assurance (QA) team |
| SSS-02-10-03-01-02 | Execute manual penetration testing | Test the authentication module for password brute-forcing vulnerabilities and validate session management robustness. | Development | Penetration testers, Security champions |
| SSS-02-10-03-01-03 | Leverage bug bounty programs | Use platforms like HackerOne or Bugcrowd to attract ethical hackers and crowdsource penetration testing efforts. | Deployment | Security team, Bug bounty coordinators |
| SSS-02-10-03-01-04 | Review and address test findings | Document failing test cases, such as insufficient input validation, and assign fixes to development teams with defined deadlines. | Deployment | Development managers, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0402) NIST Secure Software Development Framework (PW.8.1) OWASP SAMM: Software Assurance Maturity Model (V-ST-2-B) |
Define the scope and design of comprehensive security tests, conduct the tests, and document results within the development workflow or issue tracking system. Conduct functional testing of security features, dynamic vulnerability testing, and tests for previously reported vulnerabilities. Use additional techniques such as fuzz testing, penetration testing, and root cause analysis to strengthen security. Document all issues, remediations, and lessons learned, and use resources like source code and design records to inform ongoing test planning.
Embed security testing as a parallel process across all phases of the development lifecycle, from requirement analysis to design and construction. Avoid concentrating testing efforts at a single stage, such as pre-release, by integrating automated, low-friction security tests early into development tools and CI/CD pipelines. Early detection reduces remediation costs and ensures rapid resolution of vulnerabilities. Proactively enhance security testing by propagating insights from prior testing activities. For instance, if penetration tests reveal session management issues, these insights should trigger focused retesting before code changes are deployed to production. Utilize a combination of automated and manual tests, guided by security champions and centralized secure software groups, to ensure thorough coverage. Continuously document test outcomes, remediations, and lessons learned, and integrate these insights into organizational playbooks to improve the efficiency and efficacy of future tests. Address unremediated risks collaboratively with stakeholders by establishing actionable timelines and accountability for resolution. Through this approach, maintain robust, scalable security practices across the development lifecycle.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-10-04-01-01 | Integrate security testing at all stages | Run SAST tools during pull requests in GitHub and integrate DAST tools into post-build tests for applications. | Development | Security team, Development teams |
| SSS-02-10-04-01-02 | Continuously triage and prioritize issues | Automate severity scoring using CVSS in JIRA and assign critical issues for immediate resolution to development teams. | Development | DevOps team, Security champions |
| SSS-02-10-04-01-03 | Propagate security test results proactively | After a penetration test highlights SQL injection vulnerabilities, add specific SQL injection tests to automated scanning tools. | Deployment | Security team, Development managers |
| SSS-02-10-04-01-04 | Continuously review and enhance testing efforts | Update the organization's secure coding guidelines with new insights from recent security test findings. | Deployment | Security champions, Security team |
| SSS-02-10-04-01-05 | Establish accountability for accepted risks | Use an internal dashboard to track accepted risks and associated deadlines, with regular reminders for stakeholders and managers. | Post-deployment | Development managers, Security team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0402) NIST Secure Software Development Framework (PW.8.2) OWASP SAMM: Software Assurance Maturity Model (V-ST-3-B) |