I T Y M A N A G E M E N T L I F E C Y C L E SCAN PRIORITIZE REPORT REMEDIATE VALIDATE Get info Default Severity (CVSS) vs Real Severity (Internal clasification) Report and escale to appropiate team for fixes − Fixeable? Fix-it! − Not fixeable? Manage the risk: mitigate, accept, transfer or de-promote asset - Validate fixes - Formalize risk management decisions - Learn & Improve
O C E S S C H A L L E N G E S Multiple VA tools False Positives Prioritization / Ponderation Just in time remediation Tracking - Multiple origins - Multiple formats - Asynchronous run - Vulnerability must exist - Exploitation must be feasible - No compensatory controls Possible criteria: - Exploit available - Publicated service - Internal asset classification - Issue must be fixed before SLA expire or asset version were changed - All vulns, actions and comments must be logged and be traceable
P E L I N E ( C L O U D N A T I V E A P P R O A C H ) Remediation Continuous feedback AppSec Tools Vuln Tracking Issue Tracking AWS CodePipeline AWS CodeCommit