Wednesday, July 22, 2009

Vulnerability Tracking, Workflow, and Metrics With Redmine

This article was inspired by real processes and software implemented in a client's environment. This client has a very proactive approach to application security. I would love to give specific attribution to some of these ideas, but I am not permitted in this case.

A functional defect is typically a set of undesirable behavior associated with an application feature. A security vulnerability (security bug) consists of undesirable behavior that weakens the application's ability to resist attacks or protect data. In terms of issue tracking and remediation, a security bug is really just a specific type of functional bug. This is apparent when you consider the basic workflow for a functional defect:
  1. A developer or user reports a defect.
  2. The project manager assigns the defect to a developer.
  3. The developer implements code to resolve the issue.
  4. The quality assurance team verifies that the implemented code successfully resolved the issue.
  5. The project manager or team provides communication to executives, clients, or other entities regarding the successful resolution of the issue.
  6. The issue is archived for use in metrics or other statistical analysis.
The workflow for a security bug contains the same steps but differs in the roles associated with each step. A security bug may require interaction or approval from security managers or security assessors in addition to developers and project managers.

Development teams already use bug tracking software during development, why not utilize the same systems for tracking security vulnerabilities? Project team's familiarity with the software and process will make it considerably easier to collaborate on remediation efforts. Additionally, most organizations already have methods of collecting metrics about software defects. These metrics can be extended to include vulnerabilities.

In order to effectively track security vulnerabilities, a centralized, web-based bug tracking system needs to support the following features:
  • Custom workflows per issue type
  • Custom fields within bug items
  • Roles and privileges controlling users' ability to change the status of security bugs
After a little research, I identified a bug tracking system called Redmine that satisfies all these requirements and more. In Redmine, I was able to create an issue type called "Vulnerability" and associated a specific workflow.

The diagram below illustrates the custom workflow, roles, and purpose of each step. This workflow can be created in Redmine and each transition can be associated with specific roles.

Since the software supports custom fields within issue items, a security assessor can enter additional vulnerability information such as:
  • The vulnerability category
  • Whether the issue has a security impact
  • Whether the issue has a privacy impact
  • Whether the issue has a compliance impact
  • Which group identified the issue
  • Whether the item was identified by an automated or manual process
  • Which activity was used to identify issues
Once many of these issues have been reported across an organization, this information can be used to evaluate the effectiveness of tools, processes, or security activities used throughout the development process. An example of a Vulnerability item being created in Redmine is shown in the screenshot below.

In addition to tracking vulnerabilities, this system could also be used to manage requests and the workflow associated with security services performed by an internal security team. Organizations often may utilize security teams to assist in specifying security, privacy and compliance requirements or to perform activities like penetration testing and code review. A custom workflow can be created in Redmine to handle this issue type as well.

Here is an example of a security service request in Redmine:


Custom Fields:

Security Activities Custom Field:

Vulnerability Identification Method Source Custom Field:

Vulnerability Identification Method Custom Field:

Vulnerability Identified By Custom Field:

Vulnerability Category Custom Field:


Bruce K. Marshall said...

Great article Nick, and the screenshots and flowcharts are a nice bonus.

Anonymous said...

Thanks a lot ! Great and usefull :)