Owasp vulnerability Management Guide (ovmg) June 1, 2020
End Goal: create a data-based argument for vulnerability prioritization
Yüklə 1,27 Mb. Pdf görüntüsü
|
|
End Goal: create a data-based argument for vulnerability prioritization. 3.2 Remediation 3.2 TASK INPUT OUTPUT Remediation Work 1.1 Scope 2.4 Reports 3.1 Prioritize 2.4 Reports 3.3 Investigate FP 3.4 Exception 1.3 Run Test # TO-DO WHY 3.2.1 Find the stakeholders responsible for remediation work Determine if the assigned individual understands the issue and can actually resolve it. 3.2.2 Communicate your findings via the tools and processes they use If the assigned team is bound to internal procedures and knowledge sharing, obey to these rules. OWASP Vulnerability Management Guide (OVMG) - June 1, 2020 14 3.2.3 Establish a frequency and scope of patching, rewriting code, retraining people Ideally, we’d like to align remediation frequency with our vulnerability testing frequency (1.3). You have to be ready for concessions at the early stages of implementing a vulnerability management program and push for improvement as you repeat these cycles monthly. 3.2.4 Establish a group of assets dedicated to remediation testing For example, you’ve been told that a configuration fix was mass-applied -- test it right away and don ’t wait until another monthly cycle of detection. 3.2.5 Report your test results to the responsible stakeholders For the audit trail, store the test results on a shared drive or append them to the ticketing system. 3.2.6 Use the ticketing system or change management system to resolve remediation management issues It is plausible to be in a situation where planning is behind reality. Regardless of whether it’s true or not, find a way to utilize the ticketing or change management system for your audit trail. 3.2.7 Always assign remediation work No assignee or no deadline for necessary remediation work means that your audit trail is incomplete. 3.2.8 Include responsible, accountable stakeholders, and those who need to be informed on unresolved issues Consult with your organizational RACI chart, or consider the following based on your knowledge: personnel who applies a remediation fix, personnel who approves a remediation work; personnel who needs to be aware whether remediation has been done or not; personnel who may be impacted by upcoming work and needs to be informed of it. 3.2.9 Use the frequency of your reporting cycle to follow up on open issues You can update your reports with remediation statistics; you can count recurring vulnerabilities; you can show aging statistics in your asset groups. End Goal: complete vulnerability remediation work. Note, remediation is not to be assumed until retested in detection (1.3 Run Tests). All vulnerability instances that c ouldn’t be remediated should be identified and documented Yüklə 1,27 Mb. Dostları ilə paylaş:
|