Rule ID
SV-222657r961863_rule
Version
V6R4
CCIs
An application incident response process is managed by the development team and should include a method for individuals to submit potential security vulnerabilities to the development or maintenance team. The plan should dictate what is to be done with the reported vulnerabilities. Reported vulnerabilities must be tracked throughout the process to ensure they are triaged, corrected, and tested. The corresponding update is released to the user community and the user community is notified of the availability of the application update. Without an established application incident management plan and process, discovered issues and vulnerabilities will go unreported. Vulnerabilities will not be triaged and managed, and there may be delays in corrective actions. Information on how to submit bug and vulnerability reports must also be included in the application design document or configuration guide. This requirement is meant to be applied when reviewing an application with the development team.
If the application is a COTS application and the development team is not accessible to interview this requirement is not applicable. Interview the application development team members. Request and review the application incident response plan. Ensure the plan includes an implemented process that: - Tracks reported vulnerabilities and bugs - Confirms reported vulnerabilities and bugs - Tracks remediation effort - Notifies application users of available updates that address the reported issues. If the application incident response plan does not exist and at a minimum does not implement the aforementioned processes, this is a finding.
The development team creates an application incident response plan documenting and establishing a process that at a minimum: - Tracks reported vulnerabilities and bugs - Confirms reported vulnerabilities and bugs - Tracks remediation effort - Notifies application users of available updates that address the reported issues.