Common Remediation Owner Enumeration (My Faux Standard In Development)
So we’ve run into a small snag with our automation: Automatically assigning remediation owners. It’s easy for our UNIX pilot. The same group fixes all the OS vulnerabilities. When we start adding Windows into the mix, it gets a little harder.
When a vulnerability is discovered for, let’s say Adobe Reader, we have different assignment teams that remediate it depending on the device. We have a separate group of engineers for Windows Servers, Windows Workstations, and for our Citrix remote access applications. (Luckily, we’re not running Adobe Reader on our UNIX platforms)
Tomorrow, I will start working on the logic to automatically determine remediation ownership and assign it correctly. It will be a complicated process mapping Application Owners to Applications, and Applications to Platforms to Devices. There will be multiple application owners per application CPE (Common Platform Enumeration), but one application owner per Application CPE per Device CPE.
Do any of you already have a solution for this?
Ed said,
Wrote on June 19, 2009 @ 09:21
You might be able to utilize CPE within SCAP in order to map your applications to platforms.
Additionally, how do you manage non-security changes to these servers now? Is there an existing change mgmt or ticketing system that ties owners or teams to these servers or platforms? If this is already in place, you might be able to use that to then link your CPE information to owners.