Discovery of a security issue

When a potential security vulnerability is discovered, we take the following steps:

  1. Triage the issue and write a story
  2. Estimate severity
  3. Assign resources

Triage the issue and write a story

Whenever a potential security vulnerability is discovered by a team member, we triage the issue. This involves investigating the potential scope of the problem, what may have caused it, and whether or not it may have been exploited. With this information we create a story in Pivotal Tracker within the appropriate project. After the story is created, it may be assigned to the appropriate individual(s) for additional triage.

Estimate severity

We are influenced by the OWASP Risk Rating Methodology.

We assign three levels of severity:

  • Low. These issues have a very small impact and/or are difficult to exploit. They may not actually be security vulnerabilities at all. Additional security precautions, defense-in-depth measures, and improvements to security configuration are some examples of low severity issues.
  • Medium. These issue have small impact and are not easily exploited.
  • High. These issues must be fixed quickly. Often they will be treated as critical bugs.

Assign resources

In general security issues are assigned resources similarly to how we assign resources for bugs. However, we use time-based thresholds to ensure that all security issues are resolved within a reasonable amount of time given the severity of the issue. High severity issues must be fixed (significantly) more quickly than Medium severity issues. Medium severity issues must be fixed more quickly than Low severity issues.

Pro-active measures

In addition to resolving security issues as they are resolved, we also take several steps to increase our security.

  1. We regularly have 3rd-parties pentest our systems to search for potential security issues.
  2. We run Red/Blue games to raise awareness of security issues and provide opportunities for practice implementing security policies.
  3. We plan Security Epics to tackle larger changes to our architectures to improve security.
  4. We meet regularly to discuss how we can improve security.