Vulnerability Management Program
An outline of how PreviousNext manages and responds to vulnerabilities.
The following section outlines all the mechanisms PreviousNext has for discovering and managing assets that may be susceptible to vulnerabilities, e.g. infrastructure and applications.
All code related to PreviousNext and the Skpr hosting platform is managed through Github.
Github provides code search functionality that allows PreviousNext security experts to determine if any of our projects are vulnerable.
Infrastructure as Code
All aspects of the Skpr hosting platform are managed using Terraform, a tool that enables operations teams to manage their infrastructure as a code.
This provides the operations team complete visibility of which assets are provisioned as part of the Skpr hosting platform.
AWS Management Console / API
The Skpr hosting platform is deployed on the cloud service provider Amazon Web Services (AWS).
AWS provides development teams with both console and API access to determine what servers are running, e.g. EC2, EKS, RDS etc.
All Skpr projects and environments are API objects and accessible via the Kubernetes API.
This allows the operations team to track which projects/environments are being hosted by the platform and what versions are currently running.
All environments hosted on the Skpr platform must be packaged and pushed to a Docker container registry before deployment.
The container registry provides the PreviousNext operations team with a manifest of all artefacts that can be (and possibly are) deployed onto the Skpr hosting platform.
The following section outlines the options we have available to quickly understand whether our assets are vulnerable.
Github Code Scanning
Github provides developers and operators with code scanning utilities for determining how many of our applications are vulnerable to an exploit.
Base Container Image Scanning
Docker Hub provides the PreviousNext operations team with insights into any vulnerabilities present in our Skpr base images.
The PreviousNext operations team is currently investigating Amazon Inspector for EC2 and ECR vulnerability scanning.
Dynamic Application Security Testing
The PreviousNext operations team is currently investigating the viability of scanning all Skpr project environments using a dynamic application security testing tool, e.g. Stackhawk.
Threat Risk & Severity
The following questions are asked to determine the severity of a vulnerability:
- Access complexity: how difficult is it for the attacker to leverage the vulnerability?
- Authentication: what privilege level is required for an exploit to be successful?
- Confidentiality impact: does this vulnerability cause non-public data to be accessible?
- Integrity impact: can this exploit allow system data (or data handled by the system) to be compromised?
- Zero-day impact: does a known exploit exist?
- Target distribution: what percentage of users are affected?
- Critical - Vulnerability will be patched and deployed immediately. A firewall rule will be deployed to demote this vulnerability to high if available.
- High - Vulnerability will be patched and deployed during a determined maintenance window, e.g. that evening outside of peak traffic.
- Low - Vulnerability will be tracked and patched as part of routine security patching.
Patch / Configuration Management
The following section outlines the patching and configuration management process that PreviousNext deploys.
Routine Security Patching
Infrastructure is routinely patched during a maintenance window on the first Thursday of every month.
Base container images are rebuilt nightly to ensure that applications inherit the latest runtime security updates, e.g. the latest PHP version.
Applications are reviewed and patched every Thursday, corresponding with Drupal security release windows.
AWS Managed Services
AWS Managed Services either automatically patch and/or manage their own patching/update workflows during a maintenance window.
The PreviousNext operations team has configured a weekly maintenance window for our managed services.
Examples of AWS managed services that require a maintenance window include RDS, Elasticache and OpenSearch.
Emergency Patching and Release
PreviousNext will coordinate an emergency release with all impacted clients and provide a notice outlining:
- The scope of the vulnerability
- Steps that have/will be taken to remediate the vulnerability
- If there will be any required downtime