RV.1: Identify and Confirm Vulnerabilities on an Ongoing Basis

Help ensure that vulnerabilities are identified more quickly so that they can be remediated more quickly in accordance with risk, reducing the window of opportunity for attackers.

RV.1.1

Gather information from software acquirers, users, and public sources on potential vulnerabilities in the software and third-party components that the software uses, and investigate all credible reports.

Implementation Examples

• Example 1: Monitor vulnerability databases , security mailing lists, and other sources of vulnerability reports through manual or automated means.
• Example 2: Use threat intelligence sources to better understand how vulnerabilities in general are being exploited.
• Example 3: Automatically review provenance and software composition data for all software components to identify any new vulnerabilities they have.

References

• BSAFSS: VM.1-3, VM.3
• BSIMM: AM1.5, CMVM1.2, CMVM2.1, CMVM3.4, CMVM3.7
• CNCFSSCP: Securing Materials—Verification
• EO14028: 4e(iv), 4e(vi), 4e(viii), 4e(ix)
• IEC62443: DM-1, DM-2, DM-3
• ISO29147: 6.2.1, 6.2.2, 6.2.4, 6.3, 6.5
• ISO30111: 7.1.3
• OWASPSAMM: IM1-A, IM2-B, EH1-B
• OWASPSCVS: 4
• PCISSLC: 3.4, 4.1, 9.1
• SCAGILE: Operational Security Task 5
• SCFPSSD: Vulnerability Response and Disclosure
• SCTPC: MONITOR1
• SP80053: SA-10, SR-3, SR-4
• SP800161: SA-10, SR-3, SR-4
• SP800181: K0009, K0038, K0040, K0070, K0161, K0362; S0078

RV.1.2

Review, analyze, and/or test the software’s code to identify or confirm the presence of previously undetected vulnerabilities.

Implementation Examples

• Example 1: Configure the toolchain to perform automated code analysis and testing on a regular or continuous basis for all supported releases.
• Example 2: See PW.7 and PW.8.

References

• BSAFSS: VM.1-2, VM.2-1
• BSIMM: CMVM3.1
• EO14028: 4e(iv), 4e(vi), 4e(viii), 4e(ix)
• IEC62443: SI-1, SVV-2, SVV-3, SVV-4, DM-1, DM-2
• ISO27034: 7.3.6
• ISO29147: 6.4
• ISO30111: 7.1.4
• PCISSLC: 3.4, 4.1
• SCAGILE: Operational Security Tasks 10, 11
• SP80053: SA-11
• SP800161: SA-11
• SP800181: SP-DEV-002; K0009, K0039, K0153

RV.1.3

Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.

Implementation Examples

• Example 1: Establish a vulnerability disclosure program, and make it easy for security researchers to learn about your program and report possible vulnerabilities.
• Example 2: Have a Product Security Incident Response Team (PSIRT) and processes in place to handle the responses to vulnerability reports and incidents, including communications plans for all stakeholders.
• Example 3: Have a security response playbook to handle a generic reported vulnerability, a report of zero-days, a vulnerability being exploited in the wild, and a major ongoing incident involving multiple parties and open-source software components.
• Example 4: Periodically conduct exercises of the product security incident response processes.

References

• BSAFSS: VM.1-1, VM.2
• BSIMM: CMVM1.1, CMVM2.1, CMVM3.3, CMVM3.7
• EO14028: 4e(viii), 4e(ix)
• IEC62443: DM-1, DM-2, DM-3, DM-4, DM-5
• ISO29147: All
• ISO30111: All
• MSSDL: 12
• NISTLABEL: 2.2.2.3
• OWASPMASVS: 1.11
• OWASPSAMM: IM1-A, IM1-B, IM2-A, IM2-B
• PCISSLC: 9.2, 9.3
• SCFPSSD: Vulnerability Response and Disclosure
• SP80053: SA-15(10)
• SP800160: 3.3.8
• SP800161: SA-15(10)
• SP800181: K0041, K0042, K0151, K0292, K0317; S0054; A0025
• SP800216: All