RV — Respond to Vulnerabilities
9 tasks in the Respond to Vulnerabilities group
RV.1.1Gather information from software acquirers, users, and public sources on potential vulnerabilities in the software and third-party components that the software uses, and investigate all credible reports.
RV.1.2Review, analyze, and/or test the software’s code to identify or confirm the presence of previously undetected vulnerabilities.
RV.1.3Have a policy that addresses vulnerability disclosure and remediation, and implement the roles, responsibilities, and processes needed to support that policy.
RV.2.1Analyze each vulnerability to gather sufficient information about risk to plan its remediation or other risk response.
RV.2.2Plan and implement risk responses for vulnerabilities.
RV.3.1Analyze identified vulnerabilities to determine their root causes.
RV.3.2Analyze the root causes over time to identify patterns, such as a particular secure coding practice not being followed consistently.
RV.3.3Review the software for similar vulnerabilities to eradicate a class of vulnerabilities, and proactively fix them rather than waiting for external reports.
RV.3.4Review the SDLC process, and update it if appropriate to prevent (or reduce the likelihood of) the root cause recurring in updates to the software or in new software that is created.