Process tasks
What are process tasks?
Process tasks are related to activities for securing the SDLC regardless of technologies, frameworks, or languages used for development. Activities guide teams responsible for day-to-day security operations. These tasks appear in the Activities phase of SD Elements.
-
See Phases for more information.
-
See Automations for more information.
Why are process tasks automated?
Some tasks related to processes are automated to better ensure compliance with securing the software development lifecycle.
The following process tasks will automatically be marked as complete or incomplete based on two scenarios.
-
T1368: Perform security testing using SAST tools
-
T1369: Perform security testing using DAST tools
-
T1893: Perform a cloud solution security posture assessment
-
T1915: Perform network vulnerability assessment
-
T1921: Avoid obtaining code (source or mobile) from untrusted sources such as public Internet
Scenario 1
When you run the following verification tools, certain process tasks automatically transition to 'Complete' based on the type of scan run and if there are no high or critical findings:
-
Microfocus Fortify and WebInspect
-
HCL AppScan Standard and Source
-
SonarQube
-
OWASP Dependency Check
-
OWASP Dependency Track
-
Checkmarx
-
Coverity
-
Threadfix
-
Veracode (File Upload)
-
Nessus
-
Mend (formerly WhiteSource)
-
Klocwork
-
Black Duck
-
Fortify on Demand
A process task is automatically transitioned to 'Complete' only if its corresponding verification scan has run with zero high and zero critical findings. If a process task remains 'Incomplete' after a scan has been run, you may need to triage the scan’s findings. |
Scenario 2
Process tasks that have previously been marked as 'Complete' reopen if a SAST scan has not been run and results are imported into SD Elements within a predefined time threshold:
-
For Task 1921, its status automatically transitions to 'Incomplete' when more than 90 days have passed since you ran an SCA scan.
-
For Task 1915, its status automatically transitions to 'Incomplete' when more than 90 days have passed since you ran an Infrastructure scan.
-
For Task 1369, its status automatically transitions to 'Incomplete' when more than 90 days have passed since you ran a DAST scan.
Time thresholds
In either scenario, the Beta version of Automations only supports preset automation criteria and frequency thresholds. For questions or inquiries about modifying these thresholds, please contact your Customer Success representative.