[Improvement] Include "remediation" and "mitigation" in Section 3.1.5 - Standard Practice Implementation

[shanecoughlan]

Action

Remediation and mitigation were added to Section 3.1.5 - Standard Practice Implementation.

Old Language

3.1.5 - Standard Practice Implementation

The Program demonstrates a sound and robust handling procedures of Known Vulnerabilities and Secure Software Development by defining and implementing following procedures:

• Method to identify structural and technical threats to the Supplied Software is defined;
• Method for detecting existence of Known Vulnerabilities in Supplied Software;
• Method for following up on identified Known Vulnerabilities;
• Method to communicate identified Known Vulnerabilities to customer base when warranted;
• Method for analyzing Supplied Software for newly published Known Vulnerabilities post release of the Supplied Software;
• Method for continuous and repeated Security Testing is applied for all Supplied Software before release;
• Method to verify that identified risks will have been addressed before release of Supplied Software;
• Method to export information about identified risks to third parties as appropriate.

A process shall exist for the Security Assurance methods listed above.

New Language

3.1.5 - Standard Practice Implementation

The Program demonstrates a sound and robust handling procedures of Known Vulnerabilities and Secure Software Development by defining and implementing following procedures:

• Method to identify structural and technical threats to the Supplied Software is defined;
• Method for detecting existence of Known Vulnerabilities in Supplied Software;
• Method for following up on identified Known Vulnerabilities;
• Method to communicate identified Known Vulnerabilities to customer base when warranted;
• Method for analyzing Supplied Software for newly published Known Vulnerabilities post release of the Supplied Software;
• Method for continuous and repeated Security Testing is applied for all Supplied Software before release;
• Method to verify that identified risks will have been remediated or mitgated before release of Supplied Software;
• Method to export information about identified risks to third parties as appropriate.

A process shall exist for the Security Assurance methods listed above.

Rationale

We previously talked said "identified risks will have been addressed" but did not define how. Especially because of the citation of "remediation" in Section 3.3.2 - Security Assurance, it made sense to clarify more specifically what "been addressed" means.

[shanecoughlan]

This issue is being closed as complete (for now). You can reopen it at any time to add new comments, ideas or concerns.