[Improvement] Include "mitigation" in Section 3.3.2 - Security Assurance

[shanecoughlan]

Action

Mitigation was added to Section 3.3.2 - Security Assurance to ensure completeness, as remediation was mentioned in this section previously.

Old Language

3.3.2 - Security Assurance

• For each Open Source Software component in the bill of materials for the Supplied Software release under review;
• Apply method for detecting existence of Known Vulnerabilities;
• For each identified Known Vulnerability assign a risk/impact score;
• For each detection and assigned score determine and document necessary remediation steps suitable for the use-case of the software and get Customer Agreement at or above a previously determined level (i.e., all severity scores above 4.5 …);
• Depending on the risk/impact score take the appropriate action (e.g., contact customers if necessary, upgrade software component, no further action, …);
• If a Newly Discovered Vulnerability is present in previously distributed Supplied Software, depending on the risk/impact score take the appropriate action (e.g., contact customers if warranted);
• An ability to monitor Supplied Software after their release to market and to respond to Known Vulnerability or Newly Discovered Vulnerability disclosures.

New Language

3.3.2 - Security Assurance

• For each Open Source Software component in the bill of materials for the Supplied Software release under review;
• Apply method for detecting existence of Known Vulnerabilities;
• For each identified Known Vulnerability assign a risk/impact score;
• For each detection and assigned score determine and document necessary remediation or mitigation steps suitable for the use-case of the software and get Customer Agreement at or above a previously determined level (i.e., all severity scores above 4.5 …);
• Depending on the risk/impact score take the appropriate action (e.g., contact customers if necessary, upgrade software component, no further action, …);
• If a Newly Discovered Vulnerability is present in previously distributed Supplied Software, depending on the risk/impact score take the appropriate action (e.g., contact customers if warranted);
• An ability to monitor Supplied Software after their release to market and to respond to Known Vulnerability or Newly Discovered Vulnerability disclosures.

Rationale

We previously talked said "document necessary remediation steps suitable for the use-case of the software" but did not talk about the alternative action of mitigation. To ensure completeness, this was added.

[shanecoughlan]

This issue is being closed as complete (for now). You can reopen it at any time to add new comments, ideas or concerns.