graphgrc

OPS-02: Vulnerability Management

Objective

Identify and remediate security vulnerabilities before exploitation.

Description

Systems are regularly scanned for vulnerabilities. Critical vulnerabilities are patched within 30 days. Penetration testing is conducted annually. Vulnerability management process is documented.

Implementation Details

Vulnerability Scanning: AWS Inspector scans EC2 instances and containers for vulnerabilities. Dependency scanning in GitHub for application code.

Patching SLA: Critical vulnerabilities patched within 7 days. High within 30 days. Medium within 90 days.

Penetration Testing: Annual external penetration test by qualified third party. Findings remediated based on severity.

Bug Bounty: Public bug bounty program for security researchers. Valid findings remediated and researcher rewarded.

Examples

• AWS Inspector scans all production EC2 instances weekly
• Dependabot creates PRs for vulnerable npm packages, merged within 5 days
• 2024 annual penetration test found 2 medium findings, both remediated within 30 days
• Bug bounty program paid out 3 researchers in 2024 for valid security findings

Audit Evidence

• Vulnerability scan results
• Vulnerability remediation timeline
• Annual penetration test report
• Bug bounty program results

---

Framework Mapping

SOC 2

• CC7.1 ^[Vulnerability scanning detects processing errors and security issues enabling timely mitigation]

GDPR

• Article 32 ^[Regular vulnerability assessment and remediation ensure ongoing security appropriate to risk]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

Standards:

• GitHub Security Standard ^[Dependabot alerts, secret scanning, security advisories reviewed weekly]
• Vulnerability Management Standard ^[Automated scanning on every PR, CVSS-based severity SLAs (Critical: 7 days, High: 30 days)]

Processes:

• Vulnerability Management Process ^[7-step process: scanning, alerting, triage, risk assessment, remediation, verification, metrics]

Policies:

• Engineering Security Policy ^[Requires addressing Dependabot/Snyk alerts within SLA, keeping dependencies up to date]

This site is open source. Improve this page.