Commit 2129fa41 authored by Santeri Toikka's avatar Santeri Toikka
Browse files

Updated scanning assessment

Closes #125 HAS64
parent a56b1124
Loading
Loading
Loading
Loading
+30 −12
Original line number Diff line number Diff line
@@ -635,29 +635,47 @@ DDoS mitigations:

#### 6.1.1.0 REQ-EXPLOIT-0

**Objective:** Disclosure of new vulnerabilities in the product and its dependencies are proactively monitored.<br/>
**Objective:**

Verify that:
1. Known exploitable vulnerabilities affecting the product are identified.
2. For each identified known exploitable vulnerability, one of the following applies:
   * the vulnerability assessment demonstrates that the vulnerability is not exploitable in the product; or
   * specific user guidance is provided to prevent exploitation.
3. No known exploitable vulnerability remains in the product without one of the above justifications.

**Preparation:**

1. Select up to three vulnerability scanners meeting the requirements
* [DESIGN] Product documentation identifying elements contained in the product (elements may include software, firmware, or hardware elements, as applicable).
* [INVENTORY] component inventory, bill of materials, or equivalent software identification information, including version and patch-level information where available.
* Access to the product, or to relevant components such as binaries, packages, images, firmware, containers, or file systems, sufficient to perform vulnerability scanning where technically feasible.
* Vulnerability scanning tools and associated vulnerability databases suitable for identifying candidate vulnerabilities in the product.
* Access to recognized public vulnerability sources:
  * Public databases e.g. EUVD, CISA Known Exploited Vulnerabilities (KEV) Catalog, the CVE List, the NIST National Vulnerability Database (NVD) and relevant vendor advisories;
  * Complementary sources that may support identification of relevant vulnerabilities, where relevant, for example technical research papers, conference papers and other publicly available security research.

**Activities:**

1. On a new product, carry out a secure update, run the selected scanners on the product, and examine the documentation for any reported vulnerabilities
1. Review the product documentation, component inventory, bill of materials, or equivalent information to identify the elements contained in the product (which may include software, firmware, or hardware elements, as applicable) and their relevant versions or patch levels, where available.
2. Perform vulnerability scanning, where technically feasible, on the product or relevant components to identify candidate vulnerabilities affecting elements contained in the product.
3. Assess, in accordance with prEN 40000-1-3 [X], the vulnerabilities identified through correlation of scanning results, product identification information, vendor advisories, and recognized public vulnerability sources.
4. For each identified known exploitable vulnerability, review the vulnerability assessment and verify whether it demonstrates that the vulnerability is not exploitable in the product:
5. Where the treatment of an identified known exploitable vulnerability relies on user guidance, review the user guidance and verify that it specifically addresses the conditions to prevent exploitation.
6. Verify that no identified known exploitable vulnerability affecting the product remains without:
   * a vulnerability assessment demonstrating non-exploitability in the product; or
   * specific required user guidance to prevent exploitation.

**Verdict:**

1. Pass if the process to track new vulnerabilities is documented
1. and how existing vulnerabilities are tracked in the already released products is described.
1. and no vulnerabilities found, or all reported vulnerabilities satisfy either the age or documentation requirement.
1. Fail otherwise.
* Pass: Known exploitable vulnerabilities affecting the product are identified, and each such vulnerability is covered either by a vulnerability assessment demonstrating non-exploitability in the product, or by specific user guidance preventing exploitation.
* Fail otherwise.

**Supporting Evidence:**

1. References to to documentation sections.
1. Documented vulnerability handling policy.
1. List of vulnerability scanners selected.
1. Reports from each scanner.
1. Correlation of reports of discovered vulnerabilities with documentation of mitigations.
* [SCAN] Vulnerability scanning results, including the tools and vulnerability databases used with snapshot date information.
* [ADVISORY] Recognized public vulnerability sources, vendor advisories, and product identification information used in the assessment.
* [ANALYSIS] Vulnerability assessment records and conclusions produced in accordance with prEN 40000-1-3 [X].
* [GUIDANCE] Product user guidance relied upon to prevent exploitation, where applicable.

#### 6.1.1.1 REQ-EXPLOIT-1