graphgrc

Vulnerability Management Standard

Requirements for identifying, assessing, and remediating security vulnerabilities.

Scope

All systems, applications, infrastructure, and dependencies.

Vulnerability Scanning

Scanning Requirements

• Application dependencies: Automated scanning on every PR (Dependabot, Snyk)
• Container images: Scan before deployment (ECR scan, Trivy)
• Infrastructure: Weekly scans of AWS resources (Prowler, AWS Inspector)
• Web applications: Quarterly authenticated scans (OWASP ZAP, Burp Suite)
• External attack surface: Monthly scans of public endpoints

Scan Coverage

• Production and staging environments
• Third-party dependencies (npm, pip, Go modules)
• Infrastructure-as-code (Terraform, CloudFormation)
• Docker base images

Severity Classification

Align with CVSS v3.1 scoring:

• Critical (9.0-10.0): Fix within 7 days
• High (7.0-8.9): Fix within 30 days
• Medium (4.0-6.9): Fix within 90 days
• Low (0.1-3.9): Fix opportunistically or accept risk

Exceptions

Production systems with public exposure escalate severity by one level (High → Critical).

Remediation Process

1. Automated alerts to engineering team via Slack/PagerDuty
2. Triage: Assess exploitability and business impact within 48 hours
3. Patch or mitigate: Update dependency, apply vendor patch, or implement compensating control
4. Verify fix: Re-scan to confirm remediation
5. Document exception if accepting risk (requires security team approval)

Patch Management

Operating System Patches

• macOS endpoints: Auto-update enabled, enforced by MDM
• AWS Linux instances: Automated patching with SSM Patch Manager
• Critical security patches applied within 7 days of release

Application Dependencies

• Automated dependency updates via Dependabot/Renovate
• Review and merge within SLA based on severity
• Pin direct dependencies, update transitive dependencies regularly

Third-Party Software

• Vendor-managed SaaS: Rely on vendor patching (verify in security assessment)
• Self-hosted software: Subscribe to security advisories, apply patches within SLA

References

• Related controls: OPS-02, END-03
• Related process: vulnerability-management-process.md
• CVSS v3.1 Calculator: https://www.first.org/cvss/calculator/3.1

Control Mapping

• OPS-02: Vulnerability Management ^[Automated scanning on every PR, CVSS-based severity SLAs (Critical: 7 days, High: 30 days)]
• END-03: Software Updates ^[macOS auto-updates via MDM, AWS patching with SSM Patch Manager, critical patches within 7 days]

---

Referenced By

This section is automatically generated by make generate-backlinks. Do not edit manually.

This site is open source. Improve this page.