Identification and Confirmation of Vulnerabilities on an Ongoing Basis, v1.1
Specifies requirements in accordance with NIST Secure Software Development Framework (SSDF), version 1.1, Practice RV.1: Identification and Confirmation of Vulnerabilities on an Ongoing Basis. Requires an organization to help ensure that vulnerabilities are identified more quickly so that they can be remediated more quickly in accordance with risk, reducing the window of opportunity for attackers.
Assessment Steps (3)
|
1
Gathering and Investigation of All Credible Software Vulnerability Reports (GatheringandInvestigationofAllCredibleSoftwareVulnerabilityReports)
Does the organization gather information from software acquirers, users, and public sources on potential vulnerabilities in the software and third-party components that the software uses, and investigate all credible reports?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
2
Detection of Previously Undetected Vulnerabilities (DetectionofPreviouslyUndetectedVulnerabilities)
Does the organization review, analyze, and/or test the software's code to identify or confirm the presence of previously undetected vulnerabilities?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
|
3
Policy on Vulnerability Disclosure and Remediation (PolicyonVulnerabilityDisclosureandRemediation)
Does the organization have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy?
Artifact
A1
Provide evidence (e.g. organizational policies, procedures, compliance/assessment reports, etc.) and supporting notes as appropriate to support the assessor's response to this assessment step.
|
Conformance Criteria (3)
|
Gathering and Investigation of All Credible Software Vulnerability Reports
The organization must gather information from software acquirers, users, and public sources on potential vulnerabilities in the software and third-party components that the software uses, and investigate all credible reports.
Citation
SSDF
Task RV.1.1
|
|
Detection of Previously Undetected Vulnerabilities
The organization must review, analyze, and/or test the software's code to identify or confirm the presence of previously undetected vulnerabilities.
Citation
SSDF
Task RV.1.2
|
|
Policy on Vulnerability Disclosure and Remediation
The organization must have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.
Citation
SSDF
Task RV.1.3
|