4.3 - Findings Documentation
Goal
Record all tool-generated findings in DefectDojo for subsequent manual review and validation. This ensures that potential vulnerabilities identified by automated tools are thoroughly examined, confirmed, and appropriately managed.
How to Execute
- Document Findings in DefectDojo
- Description: Utilize DefectDojo to systematically record and organize findings from both static and dynamic analyses. This allows for centralized management of vulnerabilities and facilitates the process of review and validation.
- Tools/Techniques:
- Configure DefectDojo to receive and categorize findings automatically from tools like Semgrep, SCA, and SonarQube.
- Ensure that each finding is logged with sufficient details, including the description, severity, potential impact, and recommendations for mitigation.
- Output: A well-organized repository of all security findings documented in DefectDojo, making them accessible for further analysis and action.
- Review and Validation
- Description: Conduct manual reviews of the documented findings to validate their accuracy and relevance. This step involves assessing the context of each vulnerability, its practical impact, and the urgency of addressing it.
- Tools/Techniques:
- Schedule regular review meetings with the development and security teams to discuss and validate each finding.
- Use the features within DefectDojo to assign, track, and update the status of each vulnerability as it is reviewed and processed.
- Output: A validated list of vulnerabilities, each reviewed and confirmed by relevant stakeholders, ensuring that only genuine and impactful issues are forwarded for remediation.