OWASP Vulnerability Management Guide (OVMG) - June 1, 2020
14
3.2.3
Establish a frequency and
scope of patching, rewriting
code, retraining people
Ideally, we’d like to align remediation frequency with our vulnerability testing
frequency (1.3). You have to be ready for concessions at the early stages of
implementing a vulnerability management program and push for improvement
as you repeat these cycles monthly.
3.2.4
Establish a group of assets
dedicated to remediation
testing
For example,
you’ve been told that a configuration fix was mass-applied -- test
it right away and don
’t wait until another monthly cycle of detection.
3.2.5
Report your test results to
the responsible stakeholders
For the audit trail, store the test results on a shared drive or append them to
the ticketing system.
3.2.6
Use the ticketing system or
change management system
to resolve remediation
management issues
It is plausible to be in a situation where planning is behind reality. Regardless
of
whether it’s true or not, find a way to utilize the ticketing or change
management system for your audit trail.
3.2.7
Always assign remediation
work
No assignee or no deadline for necessary remediation work means that your
audit trail is incomplete.
3.2.8
Include responsible,
accountable stakeholders,
and those who need to be
informed on unresolved
issues
Consult with your organizational RACI chart, or consider the following based
on your knowledge: personnel
who applies a remediation fix, personnel who
approves a remediation work; personnel who needs to be aware whether
remediation has been done or not; personnel
who may be impacted by
upcoming work and needs to be informed of it.
3.2.9
Use the frequency of your
reporting cycle to follow up
on open issues
You can update your reports with remediation statistics; you can count
recurring vulnerabilities; you can show aging statistics in your asset groups.
End Goal: complete vulnerability remediation work. Note, remediation is not to be assumed until retested in detection
(1.3 Run Tests). All vulnerability instances that c
ouldn’t be remediated should be identified and documented
Dostları ilə paylaş: