/
ResolutionCategories-VulnerabilityRemediationDelayReason.json
executable file
·28 lines (28 loc) · 2.13 KB
/
ResolutionCategories-VulnerabilityRemediationDelayReason.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
{
"namespace": "continuousimprovement-vulnerabilityremediationdelays",
"expanded": "Continuous Improvement Vulnerability Remediation Delay Resolution Categories",
"description": "The vulnerability remediation delay categories reflect standard resolution categories, to document the reasons why technical engineers are not able to install patches in the required time. More infos can be found on: https://github.com/d3sre/IntelligentProcessLifecycle",
"version": 1,
"predicates": [
{
"value": "resource-problem",
"expanded": "Resource Problem",
"description": "Low staffing, too many projects or different priorities communicated to the team can lead to too few engineers being able to properly test and roll out the needed updates on time."
},
{
"value": "compatibility-problem",
"expanded": "Compatibility problem",
"description": "Business products or solutions can rely on fixed dependencies or tight setups which break when installing an update. This can for example happen when a company relies on a product that has long stopped being supported by the vendor or skills to advance your product have left the company."
},
{
"value": "bad-SLA",
"expanded": "Bad SLA",
"description": "High service level agreement (SLA) KPIs for products, bad service design, bad service management monitoring or combinations of these elements can lead to teams not being allowed to install patches on time. This can appear in change window planning with a team only receiving change windows once a month or less but having patching times of 21 days or less."
},
{
"value": "support-problem",
"expanded": "Support problem",
"description": "The specific product version installed relies on a software component of another product (for example open source) that has been fixed in the original version, but not yet been updated by vendor you use your product version from. Documenting incurred risks due to bad vendor support should influence strategic choices for partnerships, even if they can’t be fixed short-term.
},
],
}