AIS-07: Application Vulnerability Remediation

PF v1.0 References:

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: TVM-02: Vulnerability / Patch Management.

Control Statement

Define and implement a process to remediate application security vulnerabilities, automating remediation when possible.

Implementation Guidance

Application security remediation should adhere to the following guidelines:

  1. Follow defined remediation processes, designed, tested, and implemented by security and application teams.
  2. Remediate risks as early in the SDLC as possible, such as during the design or development stages.
  3. Have defined roles and responsibilities, including escalation paths for application security incident response and remediation.
  4. Follow a risk-based approach to address high-risk incidents that significantly impact application availability, integrity, or confidentiality.
  5. Leverage automation when possible to increase remediation efficiency and accuracy.

Processes, roles, responsibilities, and documentation established for application security remediation should be reviewed periodically by management. Example:

  • GitOps-based remediation of application vulnerabilities.
  • Automated remediation efficacy metric: total number of remediations of active critical/high vulnerabilities performed through Git for the given period.
  • Total number of active critical/ high vulnerabilities identified for the given period.

Auditing Guidance

  1. Examine the policy and procedures to remediate application security vulnerabilities and automating remediation.
  2. Evaluate whether roles and responsibilities, including escalation paths for application security incident response and remediation, are defined and effective.
  3. Determine if the organization leverages automation when possible and if this automation increases remediation efficiency.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.