Vulnerabilities identified in applications are resolved by software developers in a timely manner.
Thoroughly analyze each identified vulnerability to understand the risk it poses and to inform a suitable remediation or risk response plan. Document vulnerabilities in an issue tracking system, and assess their risk by considering factors such as exploitability, potential impact, and severity. Use these risk calculations to prioritize remediation efforts, ensuring that the most critical vulnerabilities are addressed promptly while maintaining an efficient vulnerability management process. It highlights the importance of structured documentation, risk assessment, and prioritization to enable timely and effective resolution of vulnerabilities.
Implement a structured and organization-wide methodology to rate and prioritize security defects based on exploitability, potential impact, and severity. Store information about these defects centrally or ensure easy aggregation from distributed sources to identify high-risk areas requiring immediate attention. Establish service-level agreements (SLAs) for fixing defects according to their criticality, and monitor SLA adherence regularly. For cases where fixing a defect within SLA is impractical or uneconomical, define compensating controls and ensure all stakeholders clearly understand the associated risks. Even for low-severity issues without formal SLAs, provide regular updates to ensure awareness across teams about defects impacting their systems and any cumulative risks these defects might create. This consistent approach helps maintain focus on critical vulnerabilities, facilitates clear communication among stakeholders, and ensures timely and effective risk mitigation.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-04-06-01-01-01 | Define and apply a security defect rating methodology | Use CVSS (Common Vulnerability Scoring System) to assign severity ratings like Critical, High, Medium, or Low. | Development | Security team, Risk management team |
| SSS-04-06-01-01-02 | Centralize security defect tracking | Implement tools like JIRA or ServiceNow for centralized defect tracking and reporting. | Development | Security team, Development leads |
| SSS-04-06-01-01-03 | Introduce slas for defect resolution | Set SLAs such as 30 days for High severity defects and 90 days for Medium severity defects, with daily reminders for overdue issues. | Deployment | Security team, Development managers |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1754) NIST Secure Software Development Framework (RV.2.1) OWASP SAMM: Software Assurance Maturity Model (I-DM-2-A) |