| VM-01 | Dependency Vulnerability Management: Ensure that all third-party libraries and dependencies are regularly scanned for vulnerabilities. | 1. Review automated dependency scanning reports (e.g., SCA tools such as Snyk or OWASP Dependency-Check).2. Verify that known vulnerabilities are tracked in a remediation log.3. Check that updates/patches are applied within defined SLAs. | - Regular automated scans identify vulnerabilities in dependencies.- All critical and high-risk vulnerabilities are remediated timely.- A remediation log is maintained and reviewed. | - Dependency scanning reports- Remediation logs- Patch management records | NIST SP 800-53 (CM-6), OWASP Dependency-Check |
|---|
| VM-02 | Source Code Vulnerability Management: Ensure that the source code is regularly reviewed and scanned for vulnerabilities. | 1. Review source code scanning reports from SAST tools.2. Verify that code review processes include security checks.3. Check that vulnerabilities identified in source code are tracked and resolved. | - Regular SAST scans are performed.- Code reviews systematically address security issues.- Vulnerabilities are tracked and remediated according to defined timelines. | - SAST scan reports- Code review documentation- Issue tracking records | NIST SP 800-53 (SA-11), OWASP ASVS |
|---|
| VM-03 | Infrastructure Vulnerability Management: Assess vulnerability scanning and remediation for the underlying infrastructure (e.g., VMs, containers, orchestration platforms). | 1. Review vulnerability scan reports for the infrastructure components.2. Verify that infrastructure components are hardened according to best practices (e.g., CIS Benchmarks).3. Check that remediation is documented and verified by follow-up scans. | - Infrastructure vulnerability scans are performed regularly.- No critical vulnerabilities remain unresolved.- Hardening guidelines are followed and deviations are approved. | - Infrastructure vulnerability scan reports- Hardening documentation- Remediation records | NIST SP 800-53 (CM-7), CIS Benchmarks |
|---|