All licensees must have in place vulnerability and patch management processes, including remediation processes to ensure that the vulnerabilities identified are addressed. Security patches must be applied where relevant within a timeframe that is commensurate with the risks posed by each vulnerability. The licensees must ensure that their systems are subject to Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST).