A functional defect is typically a set of undesirable behavior associated with an application feature. A security vulnerability (security bug) consists of undesirable behavior that weakens the application's ability to resist attacks or protect data. In terms of issue tracking and remediation, a security bug is really just a specific type of functional bug. This is apparent when you consider the basic workflow for a functional defect:
- A developer or user reports a defect.
- The project manager assigns the defect to a developer.
- The developer implements code to resolve the issue.
- The quality assurance team verifies that the implemented code successfully resolved the issue.
- The project manager or team provides communication to executives, clients, or other entities regarding the successful resolution of the issue.
- The issue is archived for use in metrics or other statistical analysis.
Development teams already use bug tracking software during development, why not utilize the same systems for tracking security vulnerabilities? Project team's familiarity with the software and process will make it considerably easier to collaborate on remediation efforts. Additionally, most organizations already have methods of collecting metrics about software defects. These metrics can be extended to include vulnerabilities.
In order to effectively track security vulnerabilities, a centralized, web-based bug tracking system needs to support the following features:
- Custom workflows per issue type
- Custom fields within bug items
- Roles and privileges controlling users' ability to change the status of security bugs
The diagram below illustrates the custom workflow, roles, and purpose of each step. This workflow can be created in Redmine and each transition can be associated with specific roles.
Since the software supports custom fields within issue items, a security assessor can enter additional vulnerability information such as:
- The vulnerability category
- Whether the issue has a security impact
- Whether the issue has a privacy impact
- Whether the issue has a compliance impact
- Which group identified the issue
- Whether the item was identified by an automated or manual process
- Which activity was used to identify issues
In addition to tracking vulnerabilities, this system could also be used to manage requests and the workflow associated with security services performed by an internal security team. Organizations often may utilize security teams to assist in specifying security, privacy and compliance requirements or to perform activities like penetration testing and code review. A custom workflow can be created in Redmine to handle this issue type as well.
Here is an example of a security service request in Redmine:
Security Activities Custom Field:
Vulnerability Identification Method Source Custom Field:
Vulnerability Identification Method Custom Field:
Vulnerability Identified By Custom Field:
Vulnerability Category Custom Field: