Vulnerabilities identified in applications are resolved by software developers in a timely manner.
Develop and execute a risk response plan for each identified vulnerability, making remediation decisions based on risk severity and potential impact. Where immediate fixes are not feasible, implement temporary mitigations to reduce risk exposure. Issue security advisories to inform stakeholders of known vulnerabilities, and use automated mechanisms to deploy remediations swiftly and consistently. Update all relevant records to reflect actions taken, ensuring transparency and accountability throughout the vulnerability management process. This emphasizes a comprehensive, risk-based approach to managing vulnerabilities, ensuring timely, informed responses and clear communication to minimize risk exposure.
Develop a defined, repeatable process for addressing open-source software (OSS) vulnerabilities and incidents. This plan should prioritize timely and efficient remediation based on severity and potential business impact. Include mechanisms to issue advisories to stakeholders about known vulnerabilities and outline steps for applying temporary mitigations or automated fixes when immediate solutions are not feasible. Integrate this response plan into your overall vulnerability management framework, ensuring all updates and actions are documented to maintain transparency and accountability. Regularly review and refine the process to adapt to evolving threats, fostering a proactive and responsive approach to OSS security incidents.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-04-06-02-01-01 | Establish an oss incident response framework | Document the steps for OSS incident handling, including triage, investigation, and resolution, in an internal wiki. | Preparation | Security team, Risk management team |
| SSS-04-06-02-01-02 | Triage and assess vulnerabilities | Use CVSS scores and contextual data (e.g., usage in critical services) to prioritize a vulnerability in log4j as Critical. | Development | Security team, Development managers |
| SSS-04-06-02-01-03 | Implement risk responses and temporary mitigations | Deploy a WAF rule to block exploitation of a vulnerable OSS library while patching systems during the next maintenance window. | Deployment | Security team, DevOps team |
| SSS-04-06-02-01-04 | Communicate and deliver remediations | Publish a customer-facing advisory about a patched OSS vulnerability and deploy the updated library using Jenkins pipelines. | Deployment | Security team, PR team, Development teams |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1754) NIST Secure Software Development Framework (RV.2.2) S2C2F: Secure Supply Chain Consumption Framework (INV-2) |