[Improvement] CERT #2 - Please add definitions for “remediate” and “mitigate”

[shanecoughlan]

This originates in https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/6

Many products contain known vulnerabilities. The important factor is: Has the vulnerability been mitigated or remediated?

Please add definitions for “remediate” and “mitigate”.

2.6 Remediate Remediation occurs when the vulnerability is eliminated or removed.

2.7 Mitigate Mitigation occurs when the impact of the vulnerability id decreased without reducing or eliminating the vulnerability. Renumber the remaining definitions.

[shanecoughlan]

@stephenkilbaneadi: CERT-02 Seem like good additions.

@jthDEV: CERT-02: I like the definitions of remediate and mitigate. But we do not make use of them in the document. SO I am not sure whether it is of benefit adding them. Only in 3.2.2 https://github.com/OpenChain-Project/Security-Assurance-Specification/issues/4 the word "remediate" appears. Maybe we should not dive into that?

[shanecoughlan]

The discussion lead to consensus that the definitions would be useful to add with the proviso that current spec mentions remediation but not mitigation, so the spec would need to cite mitigation as well for the definition to make sense. This means our next step (beyond adding the two suggested definitions) is to adjust this section with a citation of mitigation:

3.3.2 - Security Assurance

For each Open Source Software component in the bill of materials for the Supplied Software release under review; Apply method for detecting existence of Known Vulnerabilities; For each identified Known Vulnerability assign a risk/impact score; For each detection and assigned score determine and document necessary remediation steps suitable for the use-case of the software and get Customer Agreement at or above a previously determined level (i.e., all severity scores above 4.5 …); Depending on the risk/impact score take the appropriate action (e.g., contact customers if necessary, upgrade software component, no further action, …); If a Newly Discovered Vulnerability is present in previously distributed Supplied Software, depending on the risk/impact score take the appropriate action (e.g., contact customers if warranted); An ability to monitor Supplied Software after their release to market and to respond to Known Vulnerability or Newly Discovered Vulnerability disclosures.

https://github.com/OpenChain-Project/Security-Assurance-Specification/blob/main/Security-Assurance-Specification/1.1/en/openchain-security-specification-1.1.md

Flagging for @heliocastro

[shanecoughlan]

We discussed the proposed definitions of remediation and mitigation, and formulated new language to more completely describe the actions undertaken in each situation. The draft language is below. This language is provided for review until our North America / Europe call in March, and will be closed then.

2.7 Remediate

Remediation is when a vulnerability is eliminated or removed. It involves identifying where in the code the vulnerability stems from and it has been patched or the code has been rewritten to avoid the identified issue. In this situation, the vulnerability is removed.

2.8 Mitigate

Mitigation is when the impact of the vulnerability is decreased without eliminating a vulnerability. For example, it can involve working around or avoiding the functionality that contains the vulnerability. Another example is that it can also involve isolating or preventing access to the vulnerability to prevent exploitation. In this situation, the vulnerability continues to exist, but is contained.

[shanecoughlan]

This issue is being closed as complete (for now). You can reopen it at any time to add new comments, ideas or concerns.