RV.3: Analyze Vulnerabilities to Identify Their Root Causes¶
Help reduce the frequency of vulnerabilities in the future.
RV.3.1¶
Analyze identified vulnerabilities to determine their root causes.
Implementation Examples
- Example 1: Record the root cause of discovered issues.\nExample 2: Record lessons learned through root cause analysis in a wiki that developers can access and search.
References
RV.3.2¶
Analyze the root causes over time to identify patterns, such as a particular secure coding practice not being followed consistently.
Implementation Examples
- Example 1: Record lessons learned through root cause analysis in a wiki that developers can access and search.\nExample 2: Add mechanisms to the toolchain to automatically detect future instances of the root cause.\nExample 3: Update manual processes to detect future instances of the root cause.
References
RV.3.3¶
Review software for similar vulnerabilities to eradicate a class of vulnerabilities and proactively remediate them rather than waiting for external reports.
Implementation Examples
- Example 1: See PW.7 and PW.8.
References
RV.3.4¶
Review the SDLC process, and update it if appropriate to prevent (or reduce the likelihood of) the root cause recurring in updates to the software or in new software that is created.
Implementation Examples
- Example 1: Record lessons learned through root cause analysis in a wiki that developers can access and search.\nExample 2: Plan and implement changes to the appropriate SDLC practices.