Vulnerability & Patch Management Process
MangoApps security team has the following vulnerability & patch management process in place to ensure speedy resolution of high vulnerability threats. This process is part of the overall MangoApps change management process.
- At MangoApps we have an upto inventory of all our customer deployments (shared cloud, private cloud & on-premise) which includes OS version, Application version, IP Address and data center location.
- MangoApps has a list of all the security controls put in place including firewalls, AV etc as well as their configurations. This allows us to separate the vulnerabilities that affect our production systems from those that don’t and therefore enable us to respond more effectively.
- Identifying vulnerabilities:
- MangoApps security team subscribes to multiple Vulnerability alert lists (CVE – https://cve.mitre.org/, US-CERT – https://www.us-cert.gov etc), Vendor alerts etc., to get upto date information on the latest vulnerabilities
- As part of the change management process MangoApps SQA and security testing team does vulnerability scanning & code security analysis (using tools like QualysGuard & Brakeman) to identify threats.
- Verifying vulnerabilities: This step includes ascertaining whether the identified vulnerabilities could actually be exploited on MangoApps servers & application. This also includes classifying the severity of a vulnerability and the level of risk it presents.
- Mitigating vulnerabilities: This is the step of figuring out how to prevent vulnerabilities from being exploited before a patch is available, or in the event that there is no patch. It can involve taking the affected part of the system off-line (if it’s non-critical), or various other work-arounds.
- Patching vulnerabilities: This is the step of getting the patch ready and deployed to all the affected areas in a timely way. This step is performed via our “hot fix” release deployment process. This step also includes patch testing,
Note: MangoApps shared cloud & private cloud deployments are on the AWS cloud and benefit from the AWS shared responsibility security model. Under this model
- AWS cloud ensures security management, and control of the components from the host operating system and virtualization layer down to the physical security of the
facilities in which the services operate. Emergency, non-routine, and other configuration changes to existing AWS infrastructure are authorized, logged, tested, approved, and documented in accordance with industry norms for similar systems. Updates to AWS’ infrastructure are done to minimize any impact on the customer and their use of the services. For more information, see Whitepaper: Overview of Security Processes – http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
- MangoApps ensures security management of it’s OS software, application software, configuration of the security group (firewall) that allows outside access to your instances etc., setting appropriate access control policies for your storage bucket and configuring encryption options for data at rest.