Closed shanecoughlan closed 5 months ago
Dr-wood
commented
6 months ago Question: Is it OK to ignore Secure Software development processes which if lacking would also create vulnerabilities. Scanning tools such as employed by many scanners do not evaluate these deficiencies?
shanecoughlan
commented
6 months ago Revising comment: good issue to discuss today. Looking forward.
shanecoughlan
commented
6 months ago Question: Is it OK to ignore Secure Software development processes which if lacking would also create vulnerabilities. Scanning tools such as employed by many scanners do not evaluate these deficiencies?
I am not sure if the proposed rewording would ignore the development process compared to the prior. Perhaps it is just my read, but the points appear to be reworded without losing the action item for each? Needs review and discussion.
== Existing ==
The Program demonstrates a sound and robust handling procedures of Known Vulnerabilities and Secure Software Development by defining and implementing following procedures:
Method to identify structural and technical threats to the Supplied Software is defined; Method for detecting existence of Known Vulnerabilities in Supplied Software; Method for following up on identified Known Vulnerabilities; Method to communicate identified Known Vulnerabilities to customer base when warranted; Method for analyzing Supplied Software for newly published Known Vulnerabilities post release of the Supplied Software; Method for continuous and repeated Security Testing is applied for all Supplied Software before release; Method to verify that identified risks will have been addressed before release of Supplied Software; Method to export information about identified risks to third parties as appropriate.
= Proposed New =
The Organization demonstrates sound procedures for handling Known Vulnerabilities and for ensuring Secure Software Development by defining and implementing robust methods for:
The identification of structural and technical threats to the Supplied Software. The detection of the existence of Known Vulnerabilities in the Supplied Software Monitoring the identified Known Vulnerabilities Communicating the identified Known Vulnerabilities to customer base when warranted Analyzing the Supplied Software for newly published Known Vulnerabilities post-release Conducting continuous and repeated Security Testing for all Supplied Software before release Verifying that the identified risks have been addressed before release of Supplied Software Certifying that exported information about the identified risks to the third parties is appropriate
Dr-wood
commented
6 months ago ShaneI agreeChrisOn Mar 18, 2024, at 5:41 PM, Shane Coughlan @.***> wrote: Suggest we return to this for the next North America / Europe call, picking up the thread with the same participants online.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you commented.Message ID: @.***>
Dr-wood
commented
6 months ago For the following section I am concerned if there are no mention of the structural threats to the software that are a result of poor programming technique caused by not employing Secure Programming techniques at some level (these structural issues are not evident by scanning only for known vulnerabilities that cannot be found by simply scanning for known vulnerabilities.
The Program demonstrates a sound and robust handling procedures of Known Vulnerabilities and Secure Software Development by defining and implementing following procedures:
shanecoughlan
commented
5 months ago The Organization demonstrates sound procedures for handling Known Vulnerabilities and for ensuring Secure Software Development by defining and implementing robust methods for:
Identifying structural and technical threats to the Supplied Software; Detecting the existence of Known Vulnerabilities in the Supplied Software; Monitoring the identified Known Vulnerabilities; Communicating the identified Known Vulnerabilities to customer base when warranted; Analyzing the Supplied Software for newly published Known Vulnerabilities post-release; Conducting continuous and repeated Security Testing for all Supplied Software before release; Verifying that the identified risks have been addressed before release of Supplied Software; Certifying that exported information about the identified risks to the third parties is appropriate.
[Expand definitions section for (1) Secure Software Development to include Secure Programming Techniques and (2) Security Testing to include Static and Dynamic]
Proposal: The paragraph is over-worded, consider the proposed rephrasing.
The Organization demonstrates sound procedures for handling Known Vulnerabilities and for ensuring Secure Software Development by defining and implementing robust methods for:
Previous version:
The Program demonstrates a sound and robust handling procedures of Known Vulnerabilities and Secure Software Development by defining and implementing following procedures: