Across
- 3. Existing vulnerabilities not yet remediated
- 6. Action taken to remediate a vulnerability
- 9. Tool that scans code and dependencies for vulnerabilities
- 10. Security scanning for infrastructure defined through code
- 11. Backlog burndown target of ninety days for external exposures
- 14. Ticket opened for exception requests such as risk acceptance, SLA extensions, or complex fixes needing review
- 16. Reducing risk through controls or changes without fully fixing the vulnerability
- 17. Publicly exposed repositories require stricter SLAs
- 18. What engineers do to categorize repositories and determine applicable SLAs and priorities
- 19. Non-public repositories allow more context-based prioritization
- 20. Team that supports, reviews, and helps guide risk decisions and exceptions
- 21. Finding that appears to be a vulnerability but is not actually exploitable
Down
- 1. Formal decision to accept a risk instead of fixing it
- 2. Teams responsible for addressing vulnerabilities as part of the development workflow
- 4. Where fixes and vulnerability findings appear in development workflow
- 5. Individual or team accountable for evaluating and accepting a specific risk
- 7. High severity SLA in days for external exposures
- 8. Record used to document and track accepted risks over time
- 12. Backlog burndown target of sixty days for external exposures
- 13. Medium severity SLA in days for external exposures
- 14. Defined timeframe to address new vulnerabilities
- 15. Backlog burndown target of thirty days for external exposures
- 20. Critical severity SLA in days for external exposures
- 22. Security testing performed directly on application source code