Dependency Security Policy

Acceleration

Phase: code

CFR

Quick Reference

Phase

code

Epic

Secure Code & Advanced Review

Milestone

Acceleration

Target

CRITICAL CVEs fixed within 48hrs

Implementation Time

Part of Secure Code & Advanced Review epic: 4 weeks (30 hours per capability avg)

What & Why

Definition

>= 95% of dependency updates auto-approved if CVE-free and passing tests, CRITICAL CVEs fixed within 48hrs.

Business Value

Detects security vulnerabilities 10x earlier (development vs production) and reduces critical security findings by 80% through shift-left security scanning Achieving CRITICAL CVEs fixed within 48hrs is a key milestone toward this goal.

Context

This capability is part of the Acceleration milestone's focus on scale automation, embed compliance, improve speed & reliability. Essential for teams targeting CFR, LT improvements.

Success Criteria

Target

CRITICAL CVEs fixed within 48hrs

Measurement

CVE remediation time from detection to fix

Evidence

Dependabot config
CVE fix SLA metrics
Auto-merge logs

In Practice

Real-World Implementation

Dependabot creates PRs for security updates, auto-merges if tests pass and no CVEs. CRITICAL CVEs trigger PagerDuty alert with 48hr SLA.

Concrete Example

CVE-2024-12345 (CRITICAL) in express 4.18.0 detected Mon 9am. Dependabot PR created Mon 9:05am. Engineer reviews Mon 2pm, merges Mon 3pm (30hr fix time).

Implementation Guide

Prerequisites

Automated Security Scanning

100% builds scanned, HIGH+ blocks merge

Implementation Steps

Follow the measurement approach: CVE remediation time from detection to fix

For detailed step-by-step guidance, refer to the Secure Code & Advanced Review Implementation Kit.

Resources

Related Capabilities

Prerequisites

Implement these first

Automated Security Scanning

Complementary

Often adopted together, from the Secure Code & Advanced Review epic

Secure Coding Training Enforcement

Advanced SAST Integration

Secrets Rotation Enforcement

Supply Chain Verification

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

Issue: Team resistance to adoption

Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

Issue: Inconsistent implementation across teams

Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

Frequently Asked Questions

Can we implement this before completing prerequisites?

While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

How long does implementation typically take?

Most capabilities can be implemented within 90 days when tackled as part of the Acceleration milestone. Individual timelines vary based on team size and existing practices.

What & Why

Definition

>= 95% of dependency updates auto-approved if CVE-free and passing tests, CRITICAL CVEs fixed within 48hrs.

Business Value

Context

This capability is part of the Acceleration milestone's focus on scale automation, embed compliance, improve speed & reliability. Essential for teams targeting CFR, LT improvements.

In Practice

Real-World Implementation

Dependabot creates PRs for security updates, auto-merges if tests pass and no CVEs. CRITICAL CVEs trigger PagerDuty alert with 48hr SLA.

Concrete Example

CVE-2024-12345 (CRITICAL) in express 4.18.0 detected Mon 9am. Dependabot PR created Mon 9:05am. Engineer reviews Mon 2pm, merges Mon 3pm (30hr fix time).

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Solution: Verify measurement is accurate, check if prerequisites are fully implemented, review evidence artifacts for completeness

Issue: Team resistance to adoption

Solution: Start with pilot team, demonstrate value with metrics, provide training and support during transition

Issue: Inconsistent implementation across teams

Solution: Create shared templates and guidelines, establish regular sync meetings, use automation to enforce standards

Frequently Asked Questions

Can we implement this before completing prerequisites?

While possible, it's not recommended. Prerequisites ensure foundational practices are in place, making this capability more effective and easier to adopt.

How long does implementation typically take?

Most capabilities can be implemented within 90 days when tackled as part of the Acceleration milestone. Individual timelines vary based on team size and existing practices.

Dependency Security Policy

Quick Reference

What & Why

Definition

Business Value

Context

Success Criteria

Target

Measurement

Evidence

In Practice

Real-World Implementation

Concrete Example

Implementation Guide

Prerequisites

Implementation Steps

Resources

Implementation Kit

Templates

Related Resources

Related Capabilities

Prerequisites

Complementary

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Issue: Team resistance to adoption

Issue: Inconsistent implementation across teams

Frequently Asked Questions

Can we implement this before completing prerequisites?

How long does implementation typically take?

Dependency Security Policy

Quick Reference

What & Why

Definition

Business Value

Context

Success Criteria

Target

Measurement

Evidence

In Practice

Real-World Implementation

Concrete Example

Implementation Guide

Prerequisites

Implementation Steps

Resources

Implementation Kit

Templates

Related Resources

Related Capabilities

Prerequisites

Complementary

Troubleshooting & FAQs

Common Issues

Issue: Target metric not improving

Issue: Team resistance to adoption

Issue: Inconsistent implementation across teams

Frequently Asked Questions

Can we implement this before completing prerequisites?

How long does implementation typically take?