Owasp vulnerability Management Guide (ovmg) June 1, 2020
Yüklə 1,27 Mb. Pdf görüntüsü
|
|
TASK 3.4 INPUT OUTPUT Control Vulnerability Exception Process 1.1 Scope 3.2 Remediation 1.1 Scope 2.3 Audit Trail # TO-DO WHY 3.4.1 Find an executive authority to sign off on a cybersecurity exception Vulnerability exceptions imply that particular vulnerabilities may not be fixed for some time. There should be some business justification for that. Hence, we need to start by defining who has the final authority to approve a vulnerability exception. In many cases, that would be a CISO; in some cases, it might be a CEO. It depends on your jurisdictions and applicable law statutes. 3.4.2 Establish ground rules for vulnerability exceptions There should be a strong business justification. For example, heavy SCADA machinery, expensive or impossible to replace, which functions while being ten plus years out of manufacturing support. 3.4.3 Establish periodic reviews of vulnerability exceptions We should rely on law and compliance to establish these periodic reviews. If you are ISO 27001 complaint entity, this would be six months. 3.4.4 Establish acceptable compensating controls Controls that we should set up to prevent the vulnerability from an exploit. The compensating controls should be periodically reviewed. The frequency of reviews can come from compliance and legislation. OWASP Vulnerability Management Guide (OVMG) - June 1, 2020 16 3.4.5 Document each exception and store it in the company’s audit system The ticketing system may be used for this as well, be aware of information sensitivity and apply labels accordingly. 3.4.6 Create an appropriate policy You can add vulnerability exceptions to your vulnerability management policy, or you can create a new one. 3.4.7 Communicate this policy to all employees How to do this should be specified by your organizational governance. 3.4.8 Have vulnerability exception solicitors asking the executive authority for an approval every time If the vulnerability exceptions process is too easy – it could become a loophole. Whoever seeks an exception should solicit a higher authority to approve it. End Goal: you must ensure that all non-compliance is approved by senior management and documented in the company- wide repository. Vulnerability exceptions must have an expiration date, after which they should be revised. Vulnerability exceptions must include compensating controls that prevent vulnerability exploitation. OWASP Vulnerability Management Guide (OVMG) - June 1, 2020 17 III. Figures F IGURE A: D ETECTION C YCLE I NPUTS OWASP Vulnerability Management Guide (OVMG) - June 1, 2020 18 F IGURE B: R EPORTING C YCLE I NPUTS OWASP Vulnerability Management Guide (OVMG) - June 1, 2020 19 F IGURE C: R EMEDIATION C YCLE I NPUT OWASP Vulnerability Management Guide (OVMG) - June 1, 2020 20 IV. Reference Table Term Definition Asset A device, a system, web or mobile application, a person Audit(able) trail Logs or records that provide chronological documentary evidence CVE Common Vulnerabilities and Exposures CVSS The Common Vulnerability Scoring System FP False Positive KPI Key Performance Indicator KB Knowledge Base OWASP Top 10 https://owasp.org/www-project-top-ten/ OWASP Juice Shop https://owasp.org/www-project-juice-shop/ OWASP Mutillidae https://github.com/webpwnized/mutillidae PCI DSS Payment Card Industry Data Security Standard RACI Responsible, accountable, consulted and informed SCADA Supervisory control and data acquisition SE Social Engineering SME Subject Matter Expert Document Outline
Yüklə 1,27 Mb. Dostları ilə paylaş:
|