Vulnerability Management
An unfortunate reality of the process of developing, providing, and running software is that security vulnerabilities will exist. For this reason, we have established a vulnerability management program that strives to identify vulnerabilities in our applications and infrastructure early and often.
Detection
We aim to detect vulnerabilities through many means which include internal testing, external testing, and automated scanning. The security team oversees the configuration and enforcement of these detection capabilities. Some of the solutions implemented to ensure broad coverage are:
- Host scans - We use the Vulnerability Management, Detection, and Response (VMDR) platform from Qualys and Prismacloud Compute to scan all hosts in our network for vulnerabilities and compliance with our secure configuration baselines - based upon the Center for Internet Security (CIS) Level 1 benchmarks.
- Database scans - In most cases, we use fully managed database services from our infrastructure provider, AWS; however, were we do not and where we use the managed relational database service (RDS), we use Qualys to scan our databases for vulnerabilities and compliance with our secure configuration baselines.
- Web Application & External Scans - To scan our internet facing web applications and APIs, we leverage the Web Application Scanner (WAS) from Qualys. The WAS service performs deep dynamic scans of our applications and APIs to detect vulnerabilities and misconfigurations. Using test organizations, we perform fully authenticated scans of all functionality offered by our services.
- Penetration Testing - We employ independent external penetration testers to perform targeted testing of our infrastructure and applications at least annually (and typically as a part of our FedRAMP assessment).
- Bug Bounty Program - We run a bug bounty program through Bugcrowd for continuos penetration testing of our systems. Read more about the program on our bug bounty page.
Further, we have a variety of tools that aid in vulnerability detection, but are primarily implemented in a manner to help us prevent vulnerabilities from even being introduced. Read about them below.
Prevention
As described in the secure development document, we implement a number of security checks into the development process in order to prevent vulnerabilities from being introduced to our systems and software. Some of the tooling we use to implement these checks are:
- Software composition analysis - We use Prismacloud Compute (formerly Twistlock) in our CI/CD pipelines to identify vulnerabilities in open-source or third-party software packages used in our applications. The scanner checks all dependencies against a vulnerability database and will block builds if any vulnerabilities exist that have not be addresses according to our resolution timelines (listed below).
- Static code analysis - We use Sonarcloud in our CI/CD pipelines to perform static code analysis which flags code vulnerabilities and security hot-spots in addition to code quality checks. Quality gates have been established which require all security hot-spots to be reviewed and an 'A' security rating before allowing a build to succeed.
- Container image scanning - Many of our applications are deployed in containers. We use Prismacloud Compute in our CI/CD pipelines to scan container images for vulnerabilities in the operating system packages installed on the images. Builds will not succeed if any resolvable vulnerabilities are detected.
By integrating all of these tools into our CI/CD pipelines, we significantly reduce the likelihood of service being deployed with new vulnerabilities present.
Resolution
Resolution of identified vulnerabilities is integrated with our software development processes. Vulnerabilities introduced during the development process are expected to be resolved before code is merged. Where vulnerabilities cannot be resolved immediately (e.g., recently disclosed open source dependencies), tasks are generated for remediation assigned to the appropriate development team with due dates set in accordance with our resolution timelines. Vulnerabilities identified through those means described in detection are prioritized based on their severity level. Severity levels are based on the CVSS v3 scores. Tickets are generated for the appropriate team with due dates set in accordance with our resolution timelines.
We make our best effort to resolve vulnerabilities based on severity within the following resolution times from identification:
| Severity | Resolution Time |
|---|---|
| High | 30 days |
| Moderate | 90 days |
| Low | 180 days |
The information security team provides oversight of the vulnerability remediation process by coordination with our product and engineering managers to ensure tasks are prioritized against our product road map appropriately.