The application development team must provide an application incident response plan.

From Application Security and Development Security Technical Implementation Guide

Part of ASDV-PL-003236

Associated with: CCI-003289

SV-85015r1_rule The application development team must provide an application incident response plan.

Vulnerability discussion

An application incident response process is managed by the development team and should include a method for individuals to submit potential security vulnerabilities to the development or maintenance team. The plan should dictate what is to be done with the reported vulnerabilities. Reported vulnerabilities must be tracked throughout the process to ensure they are triaged, corrected, and tested. The corresponding update is released to the user community and the user community is notified of the availability of the application update.Without an established application incident management plan and process, discovered issues and vulnerabilities will go unreported. Vulnerabilities will not be triaged and managed, and there may be delays in corrective actions.Information on how to submit bug and vulnerability reports must also be included in the application design document or configuration guide.This requirement is meant to be applied when reviewing an application with the development team.

Check content

If the application is a COTS application and the development team is not accessible to interview this requirement is not applicable. Interview the application development team members. Request and review the application incident response plan. Ensure the plan includes an implemented process that: - Tracks reported vulnerabilities and bugs - Confirms reported vulnerabilities and bugs - Tracks remediation effort - Notifies application users of available updates that address the reported issues. If the application incident response plan does not exist and at a minimum does not implement the aforementioned processes, this is a finding.

Fix text

The development team creates an application incident response plan documenting and establishing a process that at a minimum: - Tracks reported vulnerabilities and bugs - Confirms reported vulnerabilities and bugs - Tracks remediation effort - Notifies application users of available updates that address the reported issues.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer