Root Cause Analysis (RCA) is a process to ultimately identify the root problem of an issue so that we may prevent it from occurring again. You can learn more about RCAs here.
To do this the AppSec team and other stakeholders from Security & Product teams systematically work through a set of questions and discussion topics, as defined in our RCA Template.
It's important to learn from our past mistakes in order to prevent the same or similar
~"severity::1" issues from repeating in the future. The expectation is that we can both identify and address the root problem as well as discover other similar attack vectors related to the root cause.
As early as an
~"severity::1" security issue is identified, but at the latest when the issue has been mitigated, an RCA should be initiated by opening an issue using the RCA template in the appsec-rcas project.
Due date is automatically set to 30 days.
A specific AppSec engineer must be assigned to the issue. This could be the engineer who has the most context, or who was DRI for the security release, or who is interested in the vulnerability. They are the DRI for the RCA. The DRI role is mainly administrative, with responsibilities described below.
The DRI is responsible for reminding other AppSec engineers to contribute to the RCA (the weekly AppSec Sync is a good forum), and for ensuring any stakeholders from relevant Product Groups or Security Departments have been given an opportunity to contribute.
The DRI is responsible for creating issues for corrective actions the team have identified and assigning a DRI for that issue. Note the DRI does not need to come up with all the ideas! This is mainly an administrative task.
The DRI for an RCA should aim to meet these timeframes:
The RCA is considered complete when the tasks in the RCA issue are marked as completed and the issue is closed. This means that the root cause of the vulnerability is well understood and we have a path forward to reduce the likelihood of a similar vulnerability happening again. For example this can be a custom SAST rule, new security enhancement addressing the vulnerability class holistically, secure coding training, threat model, more secure application settings, etc.).
Issues for corrective actions can be labeled with
~"corrective action" and an SLO will apply depending on the severity.
In the appsec-rcas project closed issues.
Open an MR to update this page, and update the RCA Template.