P.4.3 Automated vulnerability detection

Control Details

Objective

Detect vulnerabilities before deployment through the use of automated tools to reduce the window of opportunity for attackers.

Definition

Review, analyze, and/or test the software’s code, and the tools used to build it, including AI models, to identify or confirm the presence, remediation, and disclosure of previously undetected vulnerabilities. Tools commonly include SAST, DAST, IAST, SCA, and secret detection tools. Record and triage discovered issues and recommended remediations in the development team’s workflow or issue-tracking system.

Assessment Questions

1. How is code reviewed, analyzed, and tested to identify or confirm the presence, remediation, and disclosure of previously-undetected vulnerabilities such as through automated tools?
2. How are the tools in the build and deploy pipelines reviewed, analyzed, and tested to identify or confirm the presence, remediation, and disclosure of previously-undetected vulnerabilities such as through automated tools?

Reference sources

1. EO 4e(iv) 4e(vi) 4e(viii)
2. SSDF RV.1.2
3. SSDF-AI RV.1.2
4. BSIMM CMVM3.1
5. 800-161 SA-11 RA-9 SI-7
6. OWASP-SCVS 5.1 5.2
7. CNCF-SSC SC-A: Prevent committing secrets to source code repository SC-A: Automate software security scanning M-A: Scan software for vulnerabilities M-A Run software composition analysis on ingested software A-V Perform additional checks on the artifact
8. Self-attestation 3 4
9. SAMM V-ST-3-B V-ST-2-A
10. OSPS OSPS-QA-06 OSPS-VM-05 OSPS-VM-06