Analysis of Vulnerabilities to Identify Their Root Causes, v1.1
Specifies requirements in accordance with NIST Secure Software Development Framework (SSDF), version 1.1, Practice RV.3: Analysis of Vulnerabilities to Identify Their Root Causes. Requires an organization to help reduce the frequency of vulnerabilities in the future.
Assessment Steps (4)
|
1
Root Cause Analysis for Identified Vulnerabilities (RootCauseAnalysisforIdentifiedVulnerabilities)
Does the organization analyze identified vulnerabilities to determine their root causes?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
2
Vulnerability Root Cause Pattern Analysis (VulnerabilityRootCausePatternAnalysis)
Does the organization analyze the root causes over time to identify patterns, such as a particular secure coding practice not being followed consistently?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
3
Software Review for Proactive Vulnerability Class Elimination (SoftwareReviewforProactiveVulnerabilityClassElimination)
Does the organization review the software for similar vulnerabilities to eradicate a class of vulnerabilities, and proactively fix them rather than waiting for external reports?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
4
SDLC Review and Update Based on Vulnerability Class Discovery (SDLCReviewandUpdateBasedonVulnerabilityClassDiscovery)
Does the organization review the SDLC process, and update it if appropriate to prevent (or reduce the likelihood of) the root cause recurring in updates to the software or in new software that is created?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
Conformance Criteria (4)
|
Root Cause Analysis for Identified Vulnerabilities
The organization must analyze identified vulnerabilities to determine their root causes.
Citation
SSDF
Task RV.3.1
|
|
Vulnerability Root Cause Pattern Analysis
The organization must analyze the root causes over time to identify patterns, such as a particular secure coding practice not being followed consistently.
Citation
SSDF
Task RV.3.2
|
|
Software Review for Proactive Vulnerability Class Elimination
The organization must review the software for similar vulnerabilities to eradicate a class of vulnerabilities, and proactively fix them rather than waiting for external reports.
Citation
SSDF
Task RV.3.3
|
|
SDLC Review and Update Based on Vulnerability Class Discovery
The organization must review the SDLC process, and update it if appropriate to prevent (or reduce the likelihood of) the root cause recurring in updates to the software or in new software that is created.
Citation
SSDF
Task RV.3.4
|