D.1.6 Root cause analysis

Control Details

Objective

Reduce the frequency of vulnerabilities in the future

Definition

Analyze vulnerabilities discovered throughout the process and in production to determine their root cause for being injected and not discovered earlier before production. Incident response feedback should be fed back to developers and be considered when evolving the SDLC. Record lessons learned. Identify patterns, such as security controls in the SDLC needing to be followed. Discuss and disseminate these patterns to developers. Guide process correction if the current process is not being followed.

Assessment Questions

1. How do you analyze identified vulnerabilities to determine their root cause, including how the vulnerability was injected and, perhaps, how it escaped vulnerability detection efforts and made it into production?
2. How do you communicate trends to developers? How can trends identified in root cause be factored into your SDLC process?

Reference sources

1. EO 4e(ix)
2. SSDF RV.3.1 RV.3.2 RV.3.4
3. SSDF-AI RV.3.1
4. BSIMM CP3.3, CMVM3.2
5. SAMM I-DM-2-A G-SM-2-B I-DM-3-B