Topics
Document Scope
The current document describes the functional requirements related to the implementation of a new application module for the existing CODA Footprint software.
The new module adds remediation workflow features and will have the following technical specifications.
Presentation
This functionality provides a way of tracking any given Active Remediation, CVE (Common Vulnerability and Exposure), or Attack Avenue from detection to Closure.
Any finding will have one of the multiple states assigned with the only states accepted as “Closed” being „False Positive”, „Fix Confirmed” or „Accept Risk”.
Any other state must be temporary and have a deadline/expiration timer assigned. Such states are: „Accepted Risk” or „Fix Pending Confirmation”.
Any other finding will be „Active” until addressed or “Reopen” for those with TTL expired (accept risk workflow), respectively “Reopen” if marked as fixed and the next scan finds it again as still present.
A brief presentation about states
Active States | Explanation |
Active | The findings that are present at the initial scan |
Accepted Risk | User change to accepted risk until a deadline |
Fix Pending Confirmation | The fix was solved and we wait for the Scanner to rescan |
Reopened |
|
Closure States | Explanation |
False Positive | User decided this a false positive |
Fix Confirmed | Confirmed by the Scanner - this state can appear after any Active state |
Decommissioned | The assets were no longer available |
The remediations are automatically generated by the platform, using specific rules that can be altered by the application admin, under the form of an atomic action(for example ‘Install KB111223’ or ‘update Apache httpd to the latest version’).
Each remediation or subset of affected „host”, individual, or grouped „CVE” or „finding” can be added to a workflow for the purpose of tracking, approving, and closing the remediation flow.
The approval process is to be provisioned in such a way that the business owner, information security officer, and technical owner of the system are involved, have visibility, and can approve or refuse the proposed action.
Workflow / Workflow diagram
Remediation Flows start from the “reports” left side tab -> “Remediation” menu -> “Remediation Report” sub-menu.
The available options are to select either an atomic remediation, a group of atomic remediations or a device(host).
Once a scope is selected it can then be added to the action plan using the „Add Selection to Action Plan” button from where a new entry can be created or an existing one can be modified.
The available options are to select either to create new Action Plan entry or to add to an already existing Action Plan entry.
Diagram
Tabs Meaning / Action States
Planning
This page contains draft Action Plan entries, which can be edited, deleted, or moved to the Execution state
Available Actions:
Move to Execution
Delete
Download XLSX
Attention: In order to be able to change states(like from “Planning” to “Execution and so on) the Action Plan entry must have a Owner User assigned to it.
Reopen
This page contains Action Plan entries which have been reopened when:
their Accept Risk Deadline expired(TTL expired) or
they have been rediscovered while in Closed | Fix Confirmed state(being active at the next scan)
Available Actions:
Move to Execution
Download XLSX
Attention: The Reopen state is used only for the two cases that were described above.
Execution
This page contains Action Plan entries which have been moved to Execution from Planning state
Available actions:
per atomic solution:
Mark as False Positive
Accept Risk
Mark as Treated
Move to Planning
per group of atomic solutions with selector:
Mark as Treated
Move to Planning
Action:
Move to Planning
Download XLSX
Event-based of action:
Mark as Treated -> Action Plan entry goes to “Fix Pending Confirmation” tab
Event-based of action:
Mark as False Positive -> Action Plan entry goes to “Approval” tab. Set state to “False Positive Approval” + data needed to be provided by the user:
Reason
Approval documents (Multiple Document Upload) – not mandatory
Event-based of action:
Accept Risk -> Action Plan entry goes to the “Approval” tab. Set state to “Accept Risk Approval” + data needed to be provided by the user (as mandatory fields):
Reason
Mitigation options:
Create a new mitigation option or
Select an already created mitigation from Risk Mitigation Catalogue
Approval documents (Multiple Document Upload) – not mandatory
Accept Risk Deadline (temporary deadline)
Automatically Action Plan entries goes to Closed Fixed when all atomic solutions are Fix Confirmed
Approval
This page contains Action Plan entries marked as Accept Risk or False Positive which need approval in order to be closed
Action:
Download XLSX
Event-based of action:
[False Positive Approval]
Approve -> Action Plan entry goes to “Closed” tab with closed state of “False positive”.
You can provide approval documents (Multiple Document Upload) – not mandatory
Reject -> Action Plan entry goes to the “Planning” tab
Event-based of action:
[Accept Risk Approval]
Approve -> Action Plan entry goes to the “Closed” tab with the closed state of “Accepted Risk”.
You can edit the previous settings already set in the “Execution” tab or you can provide approval documents (Multiple Document Upload) – not mandatory
Reject -> Action Plan entry goes to the “Planning” tab
Fix Pending Confirmation
This page contains Action Plan entries that have been marked as Treated from the Execution state
Action:
Move to Planning
Download XLSX
Waiting for the next rescan in order to set the state to “Closed” or “Execution”
Automatically changes to “Closed (Fixed)” when all atomic solutions are “Fix Confirmed”
Automatically changes to “Execution” when at least one atomic solution is “Active”
Closed
This page contains Action Plan entries which have been closed from Approval or Fix Pending Confirmation states
Attention: When the Accepted Risk Deadline set for this Action Plan entry will expire, if the vulnerability is still present, the Action Plan entry state will move to the “Reopen” state.
My workflow
This page contains all Action Plan entries where you are the Owner User
Actions Report
This page contains all Action Plan entries regardless of the state
Comments
0 comments
Please sign in to leave a comment.