OpenChain-Project/Security-Assurance-Specification

Security Assurance Reference Guide 2.0 DRAFT - Defining Security Testing

mrybczyn opened this issue · 1 comments

The current definition (2.11) is:

A process for the analysis of software (or other components) that allows for understanding their current and potential future management in the context of Known Vulnerabilities.

I assume that we're talking about security testing to eventually discover new vulnerabilities. If it is the case the phrase could be:

A process for the analysis of software (or other components) that allows for understanding their current and potential future Newly Discovered Vulnerabilities.

Or maybe it means just handing of Known Vulnerabilities and their possible future effects?

In the context of our specification, Known Vulnerabilities are "Security vulnerabilities previously discovered in Open Source Software components that are publicly available. That would include any publicly published vulnerabilities including but not limited to CVEs, GitHub/GitLab vulnerability alerts, package manager alerts and so forth." The language in question is intended to emphasize activities around addressing these vulnerabilities rather than the discovery of new vulnerabilities. That is regarded as a different activity.