Feature 010

Feature ID	FEA010
Subsystem the feature is part of	Epic 01: Security Fixes
Responsible person	Suutarinen Eetu
Status	proposal

Description

Integrate with a vulnerability scanning tool to automatically detect and report known vulnerabilities.

Restrictions, requirements and use cases related to this feature

US007
US010
US038

Preliminary user stories

US007: As a security officer, I want this automated scanner to correctly report vulnerabilities in line with their severity and offer mitigation strategies where possible, to help me prioritize and address these issues appropriately.

This user story focuses on implementing an advanced vulnerability scanning system that categorizes vulnerabilities based on severity and provides actionable mitigation strategies. The key outcome of this feature is to enable security officers to efficiently assess risks, prioritize critical vulnerabilities, and implement appropriate security measures. By having accurate reports and suggested remediation steps, security officers can proactively strengthen the security posture of the system.

US010: As a developer, I want to be notified of critical security vulnerabilities in our dependencies, so that I can quickly update them and minimize our risk.

This user story focuses on implementing a security vulnerability notification system that alerts developers about critical issues in their dependencies. The key outcome of this feature is to ensure rapid awareness and resolution of security risks, minimizing potential threats and maintaining software integrity. By receiving timely notifications, developers can take proactive steps to update dependencies and reduce exposure to known vulnerabilities.

US038: As a project manager I want to see regular reports from the vulnerability scanning tool, providing visibility into our software security practices, and ensuring that we're maintaining good cybersecurity hygiene.

This user story focuses on implementing a reporting system that provides project managers with consistent insights into the security status of software dependencies. The key outcome of this feature is to enhance visibility into security risks, track vulnerabilities over time, and ensure compliance with cybersecurity best practices. By receiving structured reports, project managers can monitor security trends and take proactive steps to mitigate risks.

Test case ideas and acceptance criteria

US007

Example test case	Acceptance criteria
Test if scanner is able to recognize vulnerabilities	Scanner gives alerts about actual vulnerabilities
Test if scanner categorizes vulnerabilities correctly	categories are appropriate for the vulnerabilities
Test if scanner gives actual mitigation suggestions	Scanner gives suggestions and they are possible

US010

Example test case	Acceptance criteria
Test if system gives notifications	developers receive notifications
Test if system is able to detect issues in dependencies	system detects issues and sends the notification

US038

Example test case	Acceptance criteria
Test if all security reports are available	All reports can be accessed
Test if reports include all needed info	Reports include all wanted information