Consolidation from DSOMM framework

SAMMY UI is optimized for resolutions with a width 1024px and higher.

Consolidation

Maturity Level 1

Maturity Level 2

Maturity Level 3

Maturity Level 4

Maturity Level 5

Simple false positive treatment

T-CO-1-1: Simple false positive treatment

False positives are suppressed so they will not show up on the next tests again. Most security tools have the possibility to suppress false positives. A Vulnerability Management System might be used.

Description

Findings from security tests must be triaged and outcomes persisted/documented to: - Prevent re-analysis of known issues in subsequent test runs - Track accepted risks vs false positives - Enable consistent decision-making across teams At this maturity level, a simple tracking system suffices - tools need only distinguish between "triaged" and "untriaged" findings, without complex categorization. Some tools refer to this as "suppression" of findings. Samples for false positive handling: - OWASP Dependency Check - Kubescape with VEX - OWASP DefectDojo Risk Acceptance and False Positive Handling

Risk:As false positive occur during each test, all vulnerabilities might be ignored. Specially, if tests are automated an run daily.

Treatment of defects with severity high or higher

T-CO-1-2: Treatment of defects with severity high or higher

Vulnerabilities with severity high or higher are added to the quality gate.

Description

Vulnerabilities with severity high or higher are added to the quality gate.

Risk:Vulnerabilities with severity high or higher are not visible.

Simple visualization of defects

T-CO-2-1: Simple visualization of defects

Vulnerabilities are simple visualized.

Description

Vulnerabilities are simple visualized.

Risk:The security level of a component is not visible. Therefore, the motivation to enhance the security is not give.

Fix based on accessibility

T-CO-3-1: Fix based on accessibility

Implement a simple risk-based prioritization framework for vulnerability remediation based on accessibility of the applications.

Description

Implement a simple risk-based prioritization framework for vulnerability remediation based on accessibility of the applications.

Risk:Overwhelming volume of security findings from automated testing tools. This might lead to ignorance of findings.

Integration in development process

T-CO-3-2: Integration in development process

Integration of findings into the development process. E.g. adding findings to the backlog of products teams.

Description

Validating Findings by Security Engineers Pros:

Ensures accuracy and relevance of findings before they reach product teams
Reduces false positives, saving development teams time and effort
Might provides a layer of expertise in assessing the severity and impact of vulnerabilities

Validating Findings by Security Engineers Cons:

Requires a sufficient number of skilled security engineers, which might be challenging for some organizations
May slow down the process if security engineers are overloaded with validation tasks
For Software Composition Analysis findings (known vulnerabilities) I, as a sec. eng., struggle to analysis if it is a false positive/true positive due to a lack of insights in the application Pushing Findings Directly to Product Teams Pros:
Accelerates the process by immediately notifying product teams of potential vulnerabilities
Empowers product teams to take swift action in addressing security issues

Pushing Findings Directly to Product Teams Cons:

Increases the workload on product teams, potentially leading to frustration

Risk: Not integrating vulnerability handling into the development process may result in product teams ignoring findings.

Integration of vulnerability issues into the development process

T-CO-3-3: Integration of vulnerability issues into the development process

Vulnerabilities are tracked in the teams issue system (e.g. jira).

Description

Vulnerabilities are tracked in the teams issue system (e.g. jira).

Risk:To read console output of the build server to search for vulnerabilities might be difficult. Also, to check a vulnerability management system might not be a daily task for a developer.

Treatment of defects per protection requirement

T-CO-3-4: Treatment of defects per protection requirement

Defining the protection requirement and the corresponding handling of vulnerabilities per severity for components like applications are aligned to SLAs. This is performed for the hole organization and doesn't need to be broken down (yet) on team/product/application. At least quarterly.

Description

The protection requirements for an application should consider:

Data criticality
Application accessibility (internal vs. external)
Regulatory compliance
Other relevant factors

Risk: Not defining the protection requirement of applications can lead to wrong prioritization, delayed remediation of critical security issues, increasing the risk of exploitation and potential damage to the organization.

Treatment of defects with severity middle

T-CO-3-5: Treatment of defects with severity middle

Vulnerabilities with severity middle are added to the quality gate.

Description

Vulnerabilities with severity middle are added to the quality gate.

Risk:Vulnerabilities with severity middle are not visible.

Usage of a vulnerability management system

T-CO-3-6: Usage of a vulnerability management system

Aggregation of vulnerabilities in one tool reduce the workload to mark false positives.

Description

For known vulnerabilities a processes to estimate the exploit ability of a vulnerability is recommended. To implement a security culture including training, office hours and security champions can help integrating security scanning at scale. Such activities help to understand why a vulnerability is potentially critical and needs handling.

Risk: Maintenance of false positives in each tool enforces a high workload. In addition a correlation of the same finding from different tools is not possible.

Advanced visualization of defects

T-CO-4-1: Advanced visualization of defects

Findings are visualized per component/project/team.

Description

Findings are visualized per component/project/team.

Risk:Correlation of the vulnerabilities of different tools to have an overview of the the overall security level per component/project/team is not given.

Reproducible defect tickets

T-CO-4-2: Reproducible defect tickets

Vulnerabilities include the test procedure to give the staff from operations and development the ability to reproduce vulnerabilities. This enhances the understanding of vulnerabilities and therefore the fix have a higher quality.

Description

Vulnerabilities include the test procedure to give the staff from operations and development the ability to reproduce vulnerabilities. This enhances the understanding of vulnerabilities and therefore the fix have a higher quality.

Risk:Vulnerability descriptions are hard to understand by staff from operations and development.

Treatment of all defects

T-CO-5-1: Treatment of all defects

All vulnerabilities are added to the quality gate.

Description

All vulnerabilities are added to the quality gate.

Risk:Vulnerabilities with severity low are not visible.