Topics
Document Scope
The current document describes the functional requirements related to the implementation of a new application module for the existing CODA Footprint software.
The new module adds remediation workflow features and will have the following technical specifications.
Presentation
This functionality provides a way of tracking any given Active Remediation, CVE (Common Vulnerability and Exposure), or Attack Avenue from detection to Closure.
Any finding will have one of the multiple states assigned with the only states accepted as “Closed” being „False Positive”, „Fix Confirmed” or „Accept Risk”.
Any other state must be temporary and have a deadline/expiration timer assigned. Such states are: „Accepted Risk” or „Fix Pending Confirmation”.
Any other finding will be „Active” until addressed or “Reopen” for those with TTL expired (accept risk workflow), respectively “Reopen” if marked as fixed and the next scan finds it again as still present.
A brief presentation about states
Active States |
Explanation |
Active |
The findings that are present at the initial scan |
Accepted Risk |
User change to accepted risk until a deadline |
Fix Pending Confirmation |
The fix was solved and we wait for the Scanner to rescan |
Reopened |
|
Closure States |
Explanation |
False Positive |
User decided this a false positive |
Fix Confirmed |
Confirmed by the Scanner - this state can appear after any Active state |
Decommissioned |
The assets were no longer available |
The remediations are automatically generated by the platform, using specific rules that can be altered by the application admin, under the form of an atomic action(for example ‘Install KB111223’ or ‘update Apache httpd to the latest version’).
Each remediation or subset of affected „host”, individual, or grouped „CVE” or „finding” can be added to a workflow for the purpose of tracking, approving, and closing the remediation flow.
The approval process is to be provisioned in such a way that the business owner, information security officer, and technical owner of the system are involved, have visibility, and can approve or refuse the proposed action.
A brief presentation about Deadlines
There are four remediation deadlines tied to an Action Plan.
- The Implied Deadline field cannot be modified by the user and is automatically calculated starting from the 'Discovered on' field from a vulnerability from that Action Plan Entry. Then, depending on the CR Score of the vulnerability a certain amount of days is added to the deadline. For example:
- if the CRS is between 90-100, the Implied Deadline is: discovered_on date + 7 Days
- if the CRS is between 0-10 , the Implied Deadline is: discovered_on date + 90 Days
- These three deadlines are set by default to two weeks but may be modified by the user as needed:
- Remediate on Non-Prod Environment: the deadline for remediation on a local environment, designed for testing
- UAT Deadline (User Acceptance Testing Deadline) : the deadline for a staging environment, the last testing session
- Remediate on Prod Environment: the deadline for remediation in the product environment
Workflow / Workflow diagram
Remediation Flows start from the “reports” left side tab -> “Remediation” menu -> “Remediation Report” sub-menu.
The available options are to select either an atomic remediation, a group of atomic remediations or a device(host).
Once a scope is selected it can then be added to the action plan using the „Add Selection to Action Plan” button from where a new entry can be created or an existing one can be modified.
The available options are to select either to create new Action Plan entry or to add to an already existing Action Plan entry.
Diagram
Tabs Meaning / Action States
Planning
-
This page contains draft Action Plan entries, which can be edited, deleted, or moved to the Execution state
-
Available Actions:
-
Move to Execution
-
Delete
-
Download XLSX
-
Attention: In order to be able to change states(like from “Planning” to “Execution and so on) the Action Plan entry must have a Owner User assigned to it.
Reopen
-
This page contains Action Plan entries which have been reopened when:
-
their Accept Risk Deadline expired(TTL expired) or
-
they have been rediscovered while in Closed | Fix Confirmed state(being active at the next scan)
-
-
Available Actions:
-
Move to Execution
-
Download XLSX
-
Attention: The Reopen state is used only for the two cases that were described above.
Execution
-
This page contains Action Plan entries which have been moved to Execution from Planning state
-
Available actions:
-
per atomic solution:
-
Mark as False Positive
-
Accept Risk
-
Mark as Treated
-
Move to Planning
-
-
per group of atomic solutions with selector:
-
Mark as Treated
-
Move to Planning
-
-
-
Action:
-
Move to Planning
-
Download XLSX
-
-
Event-based of action:
-
Mark as Treated -> Action Plan entry goes to “Fix Pending Confirmation” tab
-
-
Event-based of action:
-
Mark as False Positive -> Action Plan entry goes to “Approval” tab. Set state to “False Positive Approval” + data needed to be provided by the user:
-
Reason
-
Approval documents (Multiple Document Upload) – not mandatory
-
-
-
Event-based of action:
-
Accept Risk -> Action Plan entry goes to the “Approval” tab. Set state to “Accept Risk Approval” + data needed to be provided by the user (as mandatory fields):
-
Reason
-
Mitigation options:
-
Create a new mitigation option or
-
Select an already created mitigation from Risk Mitigation Catalogue
-
-
Approval documents (Multiple Document Upload) – not mandatory
-
Accept Risk Deadline (temporary deadline)
-
-
Automatically Action Plan entries goes to Closed Fixed when all atomic solutions are Fix Confirmed
Approval
-
This page contains Action Plan entries marked as Accept Risk or False Positive which need approval in order to be closed
-
Action:
-
Download XLSX
-
-
Event-based of action:
-
[False Positive Approval]
-
Approve -> Action Plan entry goes to “Closed” tab with closed state of “False positive”.
-
You can provide approval documents (Multiple Document Upload) – not mandatory
-
-
Reject -> Action Plan entry goes to the “Planning” tab
-
-
-
Event-based of action:
-
[Accept Risk Approval]
-
Approve -> Action Plan entry goes to the “Closed” tab with the closed state of “Accepted Risk”.
-
You can edit the previous settings already set in the “Execution” tab or you can provide approval documents (Multiple Document Upload) – not mandatory
-
-
Reject -> Action Plan entry goes to the “Planning” tab
-
-
Fix Pending Confirmation
-
This page contains Action Plan entries that have been marked as Treated from the Execution state
-
Action:
-
Move to Planning
-
Download XLSX
-
Waiting for the next rescan in order to set the state to “Closed” or “Execution”
Automatically changes to “Closed (Fixed)” when all atomic solutions are “Fix Confirmed”
Automatically changes to “Execution” when at least one atomic solution is “Active”
Closed
-
This page contains Action Plan entries which have been closed from Approval or Fix Pending Confirmation states
Attention: When the Accepted Risk Deadline set for this Action Plan entry will expire, if the vulnerability is still present, the Action Plan entry state will move to the “Reopen” state.
My workflow
-
This page contains all Action Plan entries where you are the Owner User
Actions Report
-
This page contains all Action Plan entries regardless of the state
Comments
0 comments
Please sign in to leave a comment.