16.6: Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Applications |
Protect |
2, 3 |
Dependencies
Safeguard 16.2: Establish and Maintain a Process to Accept and Address Software Vulnerabilities
Inputs
GV48: Process to Accept and Address Software VulnerabilitiesDate of last update or review of the severity rating system and process
Operations
- Using Input 1
GV48`determine whether the enterprise has a severity rating system and process for application vulnerabilities If the system and process exist, M1 = 1
If the system and process do not exist, M1 = 0
- Using Input 1
- Review Input 1
GV48and dermine whether it includes, at a minimum, the following components: guidance for prioritizing the order vulnerabilities are fixed, level of security acceptability for releasing code or applications For each component included in the process, assign a value of 1. Sum all values. (M2)
- Review Input 1
Compare Input 2 to current date and capture timeframe in months (M3)
Measures
M1 = Output of Operation 1
M2 = Count of components included in the process
M3 = Timeframe in months since last review or update
Metrics
If M1 is 0, this safeguard receives a failing score. The other metrics don’t apply.
If M3 is greater than twelve months, then this safeguard is measured at a 0 and receives a failing score. The other metrics don’t apply.