Vulnerability Management Policy (A.12.6)
To prevent exploitation of technical vulnerabilities by ensuring:
- Information about technical vulnerabilities is obtained in a timely fashion.
- Breezy evaluates exposure to vulnerabilities.
- Appropriate measures are taken to address risks associated with vulnerabilities.
- Only approved personnel may install approved software.
This policy applies to Breezy HR:
- infrastructure resources within Amazon Web Services
- product application code and resources used for the purpose of supporting the following product offerings:
- ~Breezy ATS
Only approved users may install software on scoped systems. Installation of software is described in the Change Management Policy.
Breezy conducts weekly reverse reachability tests and annual third-party penetration tests against system-level vulnerabilities. These penetration tests produce reports of vulnerabilities, which are subsequently tracked to remediation in a timeline, depending on item scope and severity.
These penetration tests are in addition to, not a replacement for, other vulnerability monitoring strategies described below. Penetration tests provide an effective third-party evaluation of Breezy internal vulnerability management procedures. Breezy HR uses the results of penetration tests to improve these internal processes.
Operating system vulnerabilities refer to potential vulnerabilities in the Linux kernel, in the packages provided by a specific distribution of Linux, e.g. Ubuntu or RHEL, or in the configuration of the operating system or its attendant services.
As described in the System Hardening Guidelines, each server has the AWS Inspector agent installed. Inspector maintains an inventory of all currently running servers and any vulnerabilities their operating system packages may currently possess, per the NIST NVD, categorized by their Common Vulnerability Scoring System (CVSS) score into high / medium / low. Infrastructure staff use Inspector's vulnerability monitoring as one source of potential operating system vulnerabilities.
Infrastructure staff also monitor the security announcement mailing list for Breezy HR’s Linux distribution of choice, Ubuntu. Newly published operating system vulnerabilities, as well as instructions for their remediation, are published to these lists.
Once a potential operating system vulnerability is detected, operations staff evaluate the potential risks associated with the vulnerability. If the vulnerability is legitimately exploitable, a patch or temporary mitigation will be rolled out within one week, typically sooner. This process may result in an Information Security Incident being raised.
In addition to weekly internal and annual external penetration tests for system level vulnerabilities, developers evaluate changes made to application code as described in the Change Management Policy and Secure Engineering Principles for application-level vulnerabilities.
Vulnerabilities detected above a certain severity block the application build from continuing, forcing developers to address those vulnerabilities immediately.
As above, the impact of vulnerabilities is assessed by developers and may result in patches, dependency upgrades, or other temporary mitigation measures, in addition to potential emergency releases to resolve vulnerabilities. This process may result in an Information Security Incident being raised.
Infrastructure staff are responsible for the monitoring, evaluation, and treatment of system-level vulnerabilities. Developers are responsible for the monitoring, evaluation, and treatment of application-level vulnerabilities.