Skip to content

Vulnerability Management Program

An outline of how PreviousNext manages and responds to vulnerabilities.

Asset Management

The following section outlines all the mechanisms PreviousNext has for discovering and managing assets that may be susceptible to vulnerabilities, e.g. infrastructure and applications.

Code Repository

All code related to PreviousNext and the Skpr hosting platform is managed through Github.

Github provides code search functionality that allows PreviousNext security experts to determine if any of our projects are vulnerable.

Infrastructure as Code

All aspects of the Skpr hosting platform are managed using Terraform, a tool that enables operations teams to manage their infrastructure as a code.

This provides the operations team complete visibility of which assets are provisioned as part of the Skpr hosting platform.

AWS Management Console / API

The Skpr hosting platform is deployed on the cloud service provider Amazon Web Services (AWS).

AWS provides development teams with both console and API access to determine what servers are running, e.g. EC2, EKS, RDS etc.

Kubernetes API

All Skpr projects and environments are API objects and accessible via the Kubernetes API.

This allows the operations team to track which projects/environments are being hosted by the platform and what versions are currently running.

Container Registry

All environments hosted on the Skpr platform must be packaged and pushed to a Docker container registry before deployment.

The container registry provides the PreviousNext operations team with a manifest of all artefacts that can be (and possibly are) deployed onto the Skpr hosting platform.

Vulnerability Management

The following section outlines the options we have available to quickly understand whether our assets are vulnerable.

Github Code Scanning

Github provides developers and operators with code scanning utilities for determining how many of our applications are vulnerable to an exploit.

Base Container Image Scanning

Docker Hub provides the PreviousNext operations team with insights into any vulnerabilities present in our Skpr base images.

Amazon Inspector

The PreviousNext operations team is currently investigating Amazon Inspector for EC2 and ECR vulnerability scanning.

Dynamic Application Security Testing

The PreviousNext operations team is currently investigating the viability of scanning all Skpr project environments using a dynamic application security testing tool, e.g. Stackhawk.

Threat Risk & Severity

Checklist

The following questions are asked to determine the severity of a vulnerability:

  • Access complexity: how difficult is it for the attacker to leverage the vulnerability?
  • Authentication: what privilege level is required for an exploit to be successful?
  • Confidentiality impact: does this vulnerability cause non-public data to be accessible?
  • Integrity impact: can this exploit allow system data (or data handled by the system) to be compromised?
  • Zero-day impact: does a known exploit exist?
  • Target distribution: what percentage of users are affected?

Severity Levels

  • Critical - Vulnerability will be patched and deployed immediately. A firewall rule will be deployed to demote this vulnerability to high if available.
  • High - Vulnerability will be patched and deployed during a determined maintenance window, e.g. that evening outside of peak traffic.
  • Low - Vulnerability will be tracked and patched as part of routine security patching.

Patch / Configuration Management

The following section outlines the patching and configuration management process that PreviousNext deploys.

Routine Security Patching

Infrastructure is routinely patched during a maintenance window on the first Thursday of every month.

Base container images are rebuilt nightly to ensure that applications inherit the latest runtime security updates, e.g. the latest PHP version.

Applications are reviewed and patched every Thursday, corresponding with Drupal security release windows.

AWS Managed Services

AWS Managed Services either automatically patch and/or manage their own patching/update workflows during a maintenance window.

The PreviousNext operations team has configured a weekly maintenance window for our managed services.

Examples of AWS managed services that require a maintenance window include RDS, Elasticache and OpenSearch.

Emergency Patching and Release

PreviousNext will coordinate an emergency release with all impacted clients and provide a notice outlining:

  • The scope of the vulnerability
  • Steps that have/will be taken to remediate the vulnerability
  • If there will be any required downtime