When a potential security vulnerability is discovered, we take the following steps:
- Triage the issue and write a story
- Estimate severity
- Assign resources
Whenever a potential security vulnerability is discovered by a team member, we triage the issue. This involves investigating the potential scope of the problem, what may have caused it, and whether or not it may have been exploited. With this information we create a story in Pivotal Tracker within the appropriate project. After the story is created, it may be assigned the appropriate individual(s) for additional triage.
We are influenced by the OWASP Risk Rating Methodology.
We assign three levels of severity:
- Low. These issues have a very small impact and/or are difficult to exploit. They may not actually be security vulnerabilities at all. Additional security precautions, defense-in-depth measures, and improvements to security configuration are some examples of low severity issues.
- Medium. These issue have small impact and are not easily exploited.
- High. These issues must be fixed quickly. Often they will be treated as critical bugs.
In general security issues are assigned resources similarly to how we assign resources for bugs.
In addition to resolving security issues as they are resolved, we also take several steps to increase our security.
- We regularly have 3rd-parties pentest our systems to search for potential security issues.
- We run Red/Blue games to raise awareness of security issues and provide opportunities for practice implementing security policies.
- We plan Security Epics to tackle larger changes to our architectures to improve security.
- We meet regularly to discuss how we can improve security.