Vulnerability Management Policy (A.12.6)

Objectives

To prevent exploitation of technical vulnerabilities by ensuring:

  • Information about technical vulnerabilities is obtained in a timely fashion.
  • Breezy evaluates exposure to vulnerabilities.
  • Appropriate measures are taken to address risks associated with vulnerabilities.
  • Only approved personnel may install approved software.

Scope

This policy applies to Breezy HR:

  • infrastructure resources within Amazon Web Services
  • product application code and resources used for the purpose of supporting the following product offerings:
  • ~Breezy ATS

Policy

Software Installation

Only approved users may install software on scoped systems. Installation of software is described in the Change Management Policy.

Penetration Testing

Breezy contracts weekly reachability tests and annual third-party penetration tests against system-level vulnerabilities. These penetration tests may produce reports of vulnerabilities, which are subsequently tracked to remediation in a timeline depending on scope and severity.

These penetration tests are in addition to, not a replacement for, other vulnerability monitoring strategies described below. Penetration tests provide an effective third-party evaluation of Breezy internal vulnerability management procedures. Breezy HR uses the results of penetration tests to improve these internal processes.

Operating System

Operating system vulnerabilities refer to potential vulnerabilities in the Linux kernel, in the packages provided by a specific distribution of Linux, e.g. Ubuntu or RHEL, or in the configuration of the operating system or its attendant services.

As described in the System Hardening Guidelines, each server has the AWS Inspector agent installed. Inspector maintains an inventory of all currently running servers and any vulnerabilities their operating system packages may currently possess, per the NIST NVD, categorized by their Common Vulnerability Scoring System (CVSS) score into high / medium / low. Infrastructure staff use Inspector's vulnerability monitoring as one source of potential operating system vulnerabilities.

Infrastructure staff also monitor the security announcement mailing list for Breezy HR’s Linux distribution of choice, Ubuntu. Newly published operating system vulnerabilities, as well as instructions for their remediation, are published to these lists.

Once a potential operating system vulnerability is detected, operations staff evaluate the potential risks associated with the vulnerability. If the vulnerability is legitimately exploitable, a patch or temporary mitigation will be rolled out within one week, typically sooner. This process may result in an Information Security Incident being raised.

Application

Source Code

In addition to weekly internal and annual external penetration tests for system level vulnerabilities, developers evaluate changes made to application code as described in the Change Management Policy and Secure Engineering Principles for application-level vulnerabilities.

Dependencies

Prior to release, application dependencies are scanned for known vulnerabilities in the NIST NVD by looking up each dependency using its Common Platform Enumeration (CPE) identifier.

Vulnerabilities detected above a certain severity block the application build from continuing, forcing developers to address those vulnerabilities immediately.

As above, the impact of vulnerabilities is assessed by developers and may result in patches, dependency upgrades, or other temporary mitigation measures, in addition to potential emergency releases to resolve vulnerabilities. This process may result in an Information Security Incident being raised.

Responsibilities

Infrastructure staff are responsible for the monitoring, evaluation, and treatment of system-level vulnerabilities. Developers are responsible for the monitoring, evaluation, and treatment of application-level vulnerabilities.