A Security Practices Evaluation Framework

Track Vulnerabilities

Track software vulnerabilities detected in the software, and prioritize their resolution.

Description

Vulnerabilities, whether they are found in development, testing, or production, are identified in a way that allows the project team to understand, resolve, and test quickly and efficiently. Track software vulnerabilities detected in the software, and prioritize their resolution.

Practice Implementation Questions

  1. Does the project have a plan for responding to security issues (vulnerabilities)?
  2. Does the project have an identified contact for handling vulnerability reports?
  3. Does the project have a defect tracking system?
  4. Are vulnerabilities flagged as such in the project’s defect tracking system?
  5. Are vulnerabilities assigned a severity/priority?
  6. Are vulnerabilities found during operations recorded in the defect tracking system?
  7. Are vulnerabilities tracked through their repair and the re-release of the affected software?
  8. Does the project have a list of the vulnerabilities most likely to occur, based on its security requirements, threat modeling, technical stack, and defect tracking history?

Keywords

bug, bug bounty, bug database, bug tracker, defect, defect tracking, incident, incident response, severity, top bug list, vulnerability, vulnerability tracking

BSIMM CMVM 2.2 Track software bugs found during ops through the fix process.