D.1.4 Vulnerability eradication

Control Details

Objective

Proactively eradicate classes of vulnerabilities.

Definition

Review the software for similar vulnerabilities to eradicate a class of vulnerabilities, not just the instance originally discovered. Proactively fix a class of vulnerabilities rather than waiting for the discovery of each vulnerability through automation, testing, or an external incident. Automation and custom rules in vulnerability discovery tools or compilers can be used. Patterns of remediation efforts should provide feedback into the secure SDLC.

Assessment Questions

1. Describe the team's process of proactively eradicating or reducing a whole class of vulnerabilities based upon previously-identified vulnerabilities or incidents?
2. How are these patterns folded back into the SDLC?

Reference sources

1. EO 4e(iv) 4e(viii)
2. SSDF RV.3.3
3. SSDF-AI RV.3.3
4. BSIMM CR3.3, CMVM3.1
5. 800-161 SI-2
6. SAMM I-DM-3-B