Security approval process
If a developer changes a vulnerability status to Not a problem, consider using this process for security approval:
The developer sets the status of a vulnerability to Not a problem and selects a reason for this status: False Positive, Missing Security Control, Other.
The Security staff starts the evaluation process.
After evaluating the vulnerability, the Security staff takes action based on the developer feedback: For example, they could open a support ticket, add a security control in Contrast, approve the status as is, approve a valid reason, or confirm the issue needs to be addressed.
In the case of a missing security control or the existence of a compensating control that mitigates the issue, Security might mark the issue as remediated because the issue is considered low risk.
If necessary, the developer resolves the root cause of the issue in the code.