Question: Are application vulnerabilities tracked, prioritized, and verified closed through a formal defect management process?
-
Objective — Why This Matters
Tracking and verifying fixes closes the feedback loop. Without this, vulnerabilities reappear and security posture stagnates. -
Maturity Levels (0–5)
No tracking; issues emailed or lost.
Vulnerabilities logged but without ownership.
Formal defect tracker with status and SLA.
Risk-based prioritization and verification of fixes.
Automated import from scanners; dashboards for closure.
Continuous improvement driven by closure analytics.
- How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Log all findings in shared tracker. |
| 1 → 2 | Assign owners and define closure SLAs. |
| 2 → 3 | Add risk scoring and verify remediation. |
| 3 → 4 | Integrate scanner imports and dashboards. |
| 4 → 5 | Analyze trends to improve processes. |
-
People / Process / Technology Enablers
People – QA, AppSec, Project Managers.
Process – Vulnerability triage and SLA tracking.
Technology – DefectDojo, Jira, Grafana. -
Evidence Required
Tracker exports, SLA metrics, verification reports. -
Metrics / KPIs
• percentage of vulnerabilities closed within SLA
• number of recurring vulnerabilities
• average age of open high-risk findings -
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Tracking | DefectDojo | Centralized vulnerability management. |
| Visualization | Grafana | Dashboards from issue tracker. |
| Automation | Python scripts / Webhooks | Auto-import scan data. |
-
Common Pitfalls
Fixes not verified; closed issues reopen in later scans. -
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO 27001 | A.8.28 / A.8.32. |
| NIST CSF 2.0 | DE.CM-8 / RC.IM-1. |
| CERT-In 2022 | Vulnerability closure expectation. |
| NIRMATA Scoring | AS-Q12 ≥ Level 4 requires scanner-linked dashboards. |