Applications are comprehensively tested for vulnerabilities, using static application security testing and dynamic application security testing, prior to their initial release and any subsequent releases.
Continuously gather information on potential vulnerabilities in both the software and any third-party components it relies on. Monitor public vulnerability databases, leverage threat intelligence sources, and use tools that automatically review software composition and provenance data to stay informed about emerging threats. This proactive monitoring ensures that credible reports are promptly investigated, reducing the risk of known vulnerabilities in the software.
Implement automated tools to scan open-source software (OSS) dependencies for known vulnerabilities, leveraging public vulnerability databases like the National Vulnerability Database (NVD) and tools such as OWASP Dependency-Check or Snyk. Maintain the ability to update OSS components promptly to mitigate identified risks. Ensure the monitoring process integrates with the CI/CD pipeline to detect vulnerabilities early in the development lifecycle. Regularly review vulnerability reports and prioritize remediation based on severity and impact to reduce exposure to emerging threats. Employ software composition analysis (SCA) tools to track component provenance and ensure only secure, updated versions of OSS are used. This approach minimizes risks associated with third-party dependencies while enhancing overall software security.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-10-01-01-01 | Integrate automated vulnerability scanners | Use Software Composition Analysis (SCA) tools to scan open-source software (OSS) dependencies for known vulnerabilities during the build and deployment phases. | Development | DevOps team, Security team |
| SSS-02-10-01-01-02 | Generate and review vulnerability reports | Review a report highlighting a high-severity vulnerability in a third-party library used in the backend API. | Development | Security team, Development leads |
| SSS-02-10-01-01-03 | Plan and execute updates for vulnerable OSS | Develop a plan to update OSS dependencies to mitigate identified vulnerabilities while ensuring compatibility with existing code and functionality. | Deployment | Development teams, QA team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0402) NIST Secure Software Development Framework (RV.1.1) S2C2F: Secure Supply Chain Consumption Framework (SCA-1) |
Develop and maintain management dashboards and reports to monitor compliance with patching processes and service-level agreements (SLAs) across all software components. Ensure that dependency management and application packaging systems are configured to support the rapid application of component-level patches, enabling updates to meet SLA requirements promptly. Treat any missed or delayed updates as critical security defects, subject to triage and resolution in line with established defect management protocols. Go beyond routine vendor notifications by actively monitoring external threat intelligence sources to stay informed about vulnerabilities, including zero-day threats. Address vulnerabilities as part of a comprehensive risk management strategy, ensuring that all affected applications and components are evaluated and remediated to mitigate exposure.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-02-10-01-02-01 | Implement patch management dashboards | Develop dashboards and reports to track compliance with patching SLAs across the application portfolio, ensuring visibility for stakeholders. | Post-deployment | IT operations, Security team |
| SSS-02-10-01-02-02 | Enable component-level patch deployment | Ensure application dependency management and packaging processes can support rapid deployment of component-level patches at any time. | Deployment | DevOps team, Development teams |
| SSS-02-10-01-02-03 | Treat missed updates as defects | Log missed updates as security-related defects in the defect management system, and prioritize them for triage and resolution based on risk and SLA impact. | Deployment | Security team, Development leads |
| SSS-02-10-01-02-04 | Monitor threat intelligence sources | Continuously monitor external threat intelligence for zero-day vulnerabilities and associated patches, integrating findings into risk management processes. | Development | Security team, IT operations |
| SSS-02-10-01-02-05 | Handle zero-day vulnerabilities as risks | Treat zero-day vulnerabilities as risk management issues, applying temporary mitigations or compensating controls while awaiting vendor patches. | Deployment | Security team, Risk management team |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-0402) NIST Secure Software Development Framework (RV.1.1) OWASP SAMM: Software Assurance Maturity Model (O-EM-3-B) |