This objective, and the other similar ‘Approach For‘ objectives, simply state what has to be in your Agreed Ways Of Working for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

This objective, and the other similar ‘include‘ objectives, simply state what has to be in your Product Inventory for the Product Delivery Organisation. You may want to include more, but you cannot be missing any of these and still run a secure Product Delivery Organisation.

When a critical vulnerability is made known in a Third-Party Product Component that a Product Team is using there’s very little time to respond to the situation and upgrade the Third-Party Product Component before the Product is compromised. Typically, the first broadly-scanning exploits for the vulnerability are detected across the internet within 24 hours so fixing the issue the same day of it being reported or, at most, within the first 48 hours is essential.

High-profile customer data breaches have shown repeatedly that if a central team is tasked with knowing of these vulnerabilities and ensuring they get fixed by the Product Teams then the response time is too slow and the Product Delivery Organisation has a serious security incident with a potential large financial penalty. Product Teams know what Third-Party Product Components they’re using and what versions. They are best placed to know and respond to critical vulnerabilities. The Product Lead is accountable for this happening.