Application Security: Remediation Workflow Automation
In their third whitepaper, “Remediation Workflow Automation” members of the National Defense Information Sharing and Analysis Center (ND-ISAC) present a multi-stage process intended to enforce comprehensive remediation for findings identified in a highly automated Software Development Lifecycle (SDLC).
While a remediation workflow is not specific to application security or software automation efforts, the introduction of automated security tools into the SDLC can result in the generation of hundreds or thousands of findings. A defined remediation process is vital to protect against development organizations being drowned in the deluge of findings – by triaging the incoming findings and filtering through a prioritization framework, the security organizations can help development teams focus their efforts on the most valuable findings while incorporating less significant findings into their backlog. This work helps their partners trust that the security team raising vulnerabilities not simply crying wolf, but that urgent items truly are vital to be addressed.
Similarly, the remediation efforts of the development teams can help the security organization clarify the source of findings and provide better guidance, training, and requirements to avoid the findings being repeated in the future.
To assist organizations in the development of their own remediation workflows, this paper offers a three stage process focused on the three main stages of the finding lifecycle:
- Intake / Identification / Ingestion
- Triage / Prioritization / Remediation
- Root Cause Analysis / Future Prevention
This process is intended to streamline the remediation effort to better suit an automation heavy SDLC, improving workflow efficiency while attempting to minimize unnecessary rework. The working group has also included a sample prioritization framework to build off of, to assist teams that are starting from scratch.
This white paper is targeted towards security engineers and their management responsible for process implementation. The ND-ISAC Application Security Working Group encourages feedback on the proposed remediation workflow process.
ND-ISAC members can participate in an upcoming webinar on 26 May where the authors will discuss the white paper.
Download the White Paper here: https://ndisac.org/wp-content/uploads/2021/05/ND-ISAC-Remediation-Workflow-Automation-Final.pdf