Vulnerability Management Program

An outline of how PreviousNext manages and responds to vulnerabilities.

Asset Management

The following section outlines all the mechanisms PreviousNext has for discovering and managing assets that may be susceptible to vulnerabilities, e.g. infrastructure and applications.

Code Repository

All code related to PreviousNext and the Skpr hosting platform is managed through GitHub.

GitHub provides code search functionality that allows PreviousNext security experts to determine if any of our projects are vulnerable.

Infrastructure as Code

All aspects of the Skpr hosting platform are managed using Terraform, a tool that enables operations teams to manage their infrastructure as a code.

This provides the operations team complete visibility of which assets are provisioned as part of the Skpr hosting platform.

AWS Management Console / API

The Skpr hosting platform is deployed on the cloud service provider Amazon Web Services (AWS).

AWS provides development teams with both console and API access to determine what servers are running, e.g. EC2, EKS, RDS etc.

Kubernetes API

All Skpr projects and environments are API objects and accessible via the Kubernetes API.

This allows the operations team to track which projects/environments are being hosted by the platform and what versions are currently running.

Container Registry

All environments hosted on the Skpr platform must be packaged and pushed to a Docker container registry before deployment.

The container registry provides the PreviousNext operations team with a manifest of all artefacts that can be (and possibly are) deployed onto the Skpr hosting platform.

Vulnerability Management

The following section outlines the options we have available to quickly understand whether our assets are vulnerable.

GitHub Code Scanning

Github Security provides our platform team with insights into vulnerabilities present in our Skpr base images and platform components.

Trivy

We utilize Trivy to scan our platform resources, identifying active vulnerabilities to ensure a current security posture.

Dynamic Application Security Testing

The PreviousNext operations team is currently investigating the viability of scanning all Skpr project environments using a dynamic application security testing tool, e.g. Owasp ZAP.

Threat Risk & Severity

Checklist

The following questions are asked to determine the severity of a vulnerability:

Affected Components: Which systems are hit? (Production DB, Control plane, Internal Wiki, Marketing Site?)
Impact (The "CIA" Triad): Does this compromise Confidentiality, Integrity, or Availability?
Exploitability
Our Score mapped to the levels below.

Severity Levels

Critical

Remote, unauthenticated access that could lead to exposure of sensitive data or complete system compromise. Immediate customer impact is possible.

The vulnerability will be patched and deployed without delay.
If available, a firewall rule will be implemented to temporarily reduce exposure, effectively lowering the severity to High.

High

Serious risk where exploitation is feasible, potentially impacting system confidentiality, integrity, or availability.

The vulnerability will be patched and deployed during a planned maintenance window, ideally outside peak traffic hours.

Medium

Moderate risk that may have limited impact on system security or operations.

The vulnerability will be tracked and addressed as part of routine security patching cycles.

Low

Minor issue that does not materially affect platform security, functionality, or performance.

The platform team will monitor the issue and remediate it when resources allow.

Patch / Configuration Management

The following section outlines the patching and configuration management process that PreviousNext deploys.

Routine Security Patching

Infrastructure is routinely patched during a maintenance window on the first Thursday of every month.

Base container images are rebuilt nightly to ensure that applications inherit the latest runtime security updates, e.g. the latest PHP version.

Applications are reviewed and patched every Thursday, corresponding with Drupal security release windows.

AWS Managed Services

AWS Managed Services either automatically patch and/or manage their own patching/update workflows during a maintenance window.

The PreviousNext operations team has configured a weekly maintenance window for our managed services.

Examples of AWS managed services that require a maintenance window include RDS, Elasticache and OpenSearch.

Emergency Patching and Release

PreviousNext will coordinate an emergency release with all impacted clients and provide a notice outlining:

The scope of the vulnerability
Steps that have/will be taken to remediate the vulnerability
If there will be any required downtime

Asset Management​

Code Repository​

Infrastructure as Code​

AWS Management Console / API​

Kubernetes API​

Container Registry​

Vulnerability Management​

GitHub Code Scanning​

Trivy​

Dynamic Application Security Testing​

Threat Risk & Severity​

Checklist​

Severity Levels​

Patch / Configuration Management​

Routine Security Patching​

AWS Managed Services​

Emergency Patching and Release​