Does your organisation have processes in place to triage and remediate identified vulnerabilities by inputting them into the relevant workflows?
Yes. XXXXX We have procedures in place to manage vulnerabilities for different areas of the company.
For Product and related infrastructure, we use a range of services and methods to assist us in identifying potential vulnerabilities. These include (but aren’t limited to):
Annual External Penetration Testing
AWS GuardDuty (Intelligent Threat Detection for AWS Estate) AWS & CloudWatch (Application and Infrastructure Monitoring)
Pingdom (Uptime and status)
Dependabot/NVM (library and package version/updates)
...
For Operations and other areas, vulnerabilities are reported by the discovering person discovered by our device management tools or the members of the team and recorded in the Events, Incidents and Weaknesses Register. This is managed by the InfoSec Working Group (ISWG) who ensure that an apropriate solution is put in place, the root cause(s) identified and any further changes are put in place.
...