In resolving vulnerabilities, software developers perform root cause analysis and, to the greatest extent possible, seek to remediate entire vulnerability classes.
Regularly review and refine the software development lifecycle (SDLC) based on insights from root cause analyses to prevent identified vulnerabilities from recurring in future updates or new software. Document improvements and lessons learned in a searchable knowledge base, and integrate necessary changes into SDLC practices, fostering a proactive and preventive approach to software security.
Define and test application security metrics to establish Key Performance Indicators (KPIs) that reflect meaningful and actionable insights into program effectiveness. Eliminate volatility in measurements by focusing on metrics that represent stable, long-term trends. Base KPIs not only on their relevance to security teams but also their value to organizational leadership and application development success. Document KPIs clearly, providing explanations for data sources, expected ranges, and thresholds for intervention. Share these KPIs and their associated action plans transparently with all relevant teams to ensure alignment with organizational goals. Use both short-term and long-term targets to guide ongoing improvements, reinforcing a structured and results-driven approach to refining application security within the SDLC.
| ID | Operation | Description | Phase | Agent |
|---|---|---|---|---|
| SSS-04-07-04-01-01 | Record lessons learned and identify SDLC improvements | Use insights from root cause analysis (RCA) to identify gaps or weaknesses in the SDLC process and document these in a centralized knowledge base. | Post-deployment | Security team, Development teams |
| SSS-04-07-04-01-02 | Update SDLC practices based on RCA findings | Revise SDLC practices to include changes that address recurring vulnerabilities, such as updated design guidelines or mandatory security checkpoints. | Development | Security team, Development leads |
| SSS-04-07-04-01-03 | Define and test application security KPIs | Define strategic KPIs based on meaningful security metrics, ensure data can be consistently gathered, and test them for accuracy and reliability over a short period. | Development | Security team, Risk management team |
| SSS-04-07-04-01-04 | Document, share, and act on KPIs | Fully document KPIs with data sources, acceptable ranges, and action plans for unfavorable measurements. Share them with relevant teams and leadership for transparency. | Post-deployment | Security team, Application leadership |
| Industry framework | Academic work | Real-world case |
|---|---|---|
|
Information Security Manual (ISM-1909) NIST Secure Software Development Framework (RV.3.4) OWASP SAMM: Software Assurance Maturity Model (G-SM-2-B) |