Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows?
Yes. XXXXX
We have procedures in place to manage vulnerabilities for different areas of the company.
For Product and related infrastructure, we use a range of services and methods to assist us in identifying potential vulnerabilities. These include:
Annual External Penetration Testing
AWS GuardDuty (Intelligent Threat Detection for AWS Estate)
AWS CloudWatch (Application and Infrastructure Monitoring)
Pingdom (Uptime and status)
Dependabot/NVM (library and package version/updates)
All of these sources provide intelligence for the team to triage and understand the impact of the vulnerability within the Commonplace environment. Where action is required, this is created as a ticket within the Development Management process and managed to deployment.
For Operations and other areas, vulnerabilities are reported by the discovering person and recorded in the Events, Incidents and Weaknesses Register. This is managed by the InfoSec Working Group (ISWG) who ensure that an apropriate solution is put in place, the root cause(s) identified and any further changes are put in place.