Define and implement a process to remediate application security vulnerabilities, automating remediation when possible.
Application security remediation should adhere to the following guidelines:
- Follow defined remediation processes, designed, tested, and implemented by security and application teams.
- Remediate risks as early in the SDLC as possible, such as during the design or development stages.
- Have defined roles and responsibilities, including escalation paths for application security incident response and remediation.
- Follow a risk-based approach to address high-risk incidents that significantly impact application availability, integrity, or confidentiality.
- Leverage automation when possible to increase remediation efficiency and accuracy.
Processes, roles, responsibilities, and documentation established for application security remediation should be reviewed periodically by management. Example:
- GitOps-based remediation of application vulnerabilities.
- Automated remediation efficacy metric: total number of remediations of active critical/high vulnerabilities performed through Git for the given period.
- Total number of active critical/ high vulnerabilities identified for the given period.
- Examine the policy and procedures to remediate application security vulnerabilities and automating remediation.
- Evaluate whether roles and responsibilities, including escalation paths for application security incident response and remediation, are defined and effective.
- Determine if the organization leverages automation when possible and if this automation increases remediation efficiency.
[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]
Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.