Skip to content
Snippets Groups Projects

Vulnerability Remediation

Last edited by desman bolden

Vulnerability Management Process Flow

OSDU_InfoSec_Vul_Flow

  1. Vulnerability Entry Point: Vulnerabilities can be identified and relayed to the OSDU InfoSec team in the following process/workflows:

       1.1. Slack or Ticketing System: Members can raise a request to the InfoSec team via the InfoSec Sub-Committee Slack Channel, which is to be monitored by the InfoSec team. The ticketing system is being developed and will have more information once it has been deployed.

       1.2. Pen Test Report: As vulnerabilities are detected during the penetration test they reviewed by the InfoSec team and other OSDU stakeholders.

       1.3. Scanning Tools: Code is scanned when processed through the CI/CD pipeline and vulnerabilities are detected the listed in the Vulnerability Report

  1. Info Sec Team: Reviews and manages outstanding vulnerabilities and ensure they are resolved and/or disclosed in a timely manner. They will also provide guidance and clarification on vulnerabilities detected.

  2. Issues: Info Sec team will assign issues to application support teams to remediate vulnerabilities. When vulnerabilities are detected the following steps must be used to assign issues to the appropriate personnel:

       3.1. Once in the vulnerability report (https://community.opengroup.org/groups/osdu/platform/-/security/vulnerabilities), click on the vulnerability.

       3.2. Click the pipeline link.

    Issue1Capture

       3.3. Find the person associated with the pipeline as this will be used to assign the issue.       Issue2Capture

       3.4. Go back to the vulnerability and click the Create Issue button located towards the bottom of the page.       Issue3Capture

       3.5. Set the assignee to the person listed in step 5.3, select Vulnerability Management from the Labels dropdown, Milestone must have the milestone in which the vulnerability will be remediated and click Create Issue.

  1. Exception/Acceptance Process: If a vulnerability can be resolved, but not within the required time frame the exception process must be followed along with vulnerability remediation. If a vulnerability cannot be resolved the acceptance process must be followed and no further remediation will be required. Note: The following steps are only required if a vulnerability can be remediated.

  2. Remediate Vulnerability: Developers will remediate vulnerabilities by performing the following steps:

       5.1. Update software and/or dependencies based on recommendations

       5.2. Rescan impacted software and dependencies to ensure vulnerabilities are no longer detected

       5.3. Close Issue and update vulnerability status. The following steps are to be used to close out vulnerabilities in the compliance report after they have been remediated:

            5.3.1. Access the OSDU Vulnerability Report Vulnerability Report.

            5.3.2. Locate the vulnerability assigned to you or your team. This can be done by using the dropdown filters and/or scrolling though listed vulnerabilities.

            VulnerabilityListCapture

            5.3.3. Click on vulnerability.

            5.3.4. Select the Status dropdown list which can be found in the upper right corner of the screen.

            5.3.5. Select the appropriate status (Dismiss, Confirm or Resolve)

            5.3.6. Click Change status button

            VulnerabilityScreenCapture

Comments

    Please register or sign in to add a comment.