P-SSCRM Documentation

D.1.1 Vulnerability analysis

Control Details

Objective

Plan the resolution of discovered vulnerabilities

Definition

Enter discovered vulnerabilities into a defect management system. Analyze each vulnerability to gather sufficient information to plan its remediation. Plan a risk response and prioritization, such as by estimating the probability of exploitation and the impact if it is exploited.

Assessment Questions

  1. How are discovered vulnerabilities recorded and triaged?
  2. How are the vulnerabilities prioritized for remediation?
  3. What mechanisms are used for prioritization, e.g. is a severity rating, such as CVSS, used to aid prioritization?
  4. Is the access control to vulnerability information more restrictive than plain bug tracker defects?

Reference sources

  1. EO 4e(iv) 4e(viii)
  2. SSDF RV.2.1
  3. SSDF-AI RV.2.1
  4. S2C2F SCA-5
  5. BSIMM CMVM1.3
  6. 800-161 SA-15
  7. SAMM I-DM-2-A