ProdSec Process
Report standard for ProdSec Jira, like we have in OffSec Jira.
We raise the findings in below format :
- Description
- Step to reproduce
- Remediation
- Attachment (for proof)
Process Flow
- Developer initiate the scan request in service desk.
- ProdSec team will go through the shared documents and links.
- ProdSec team will have meeting with the developer team for better understanding on scope. And also ask for the necessary credentials and dummy data fro testing.
- ProdSec team will validate those pre-request for testing.
- ProdSec team will discuss internally and come up with a timeline (based on the complexity) and share the same with the development team.
- In case of any Critical issues identified during the assessment then prodSec team will reach out to the developer right away.
- One the findings are recorded, then ProdSec will discuss with the developer on the issues. The risk for finding is calculated and then recorded in JIRA.
- The issues in JIRA will be assigned to developers and from there ProdSec will track the issues.
- One the issues is resolved from Developer they will inform ProdSec about the fix.
- ProdSec will validate the patch and if it is fine then JIRA ticket will be closed orelse it will be updated with the observation.
Risk Calculator:
We were using the same which you have mentioned:
https://risk-rating.vm.sec.tvlk.tech/?v=34993548650975598
SLA:
Based on release data and application complexity we define the SLA for testing.