... | ... | @@ -3,9 +3,13 @@ |
|
|
![FlowCapture](uploads/393e9662c3993da431681fbd90ed0799/FlowCapture.JPG)
|
|
|
|
|
|
1. **Developers:** Develop software and trigger the execution of vulnerability scanning via the CI/CD pipeline.
|
|
|
|
|
|
2. **Scanning Tools:** Detect, classify and provide vulnerability remediation steps.
|
|
|
|
|
|
3. **Vulnerability Report:** Once scanning is performed the vulnerabilities are listed here: [Vulnerability Report · Platform · GitLab (opengroup.org)](https://community.opengroup.org/groups/osdu/platform/-/security/vulnerabilities)
|
|
|
|
|
|
4. **Info Sec Team:** Reviews and manages outstanding vulnerabilities and ensure they are resolved and/or disclosed in a timely manner. They will also provide guidance and clarification on vulnerabilities detected.
|
|
|
|
|
|
5. **Issues:** Info Sec team will assign issues to application support teams to remediate vulnerabilities. When vulnerabilities are detected the following table can be used to assign issues to the appropriate personnel:
|
|
|
| Technology | Lead | Company |
|
|
|
|------------|------|---------|
|
... | ... | @@ -21,7 +25,9 @@ |
|
|
| Policy | Mohammad Malekmakan | EA/DEL/DIGITAL Petronas |
|
|
|
| Data Definitions | Thomas Gehrmann | SLB |
|
|
|
| Infra-azure-provisioning | Madhur Tanwani | MSFT |
|
|
|
|
|
|
6. **Exception/Acceptance Process:** If a vulnerability can be resolved, but not within the required time frame the exception process must be followed along with vulnerability remediation. If a vulnerability cannot be resolved the acceptance process must be followed and no further remediation will be required. Note: The following steps are only required if a vulnerability can be remediated.
|
|
|
|
|
|
7. **Remediate Vulnerability:** Developers will remediate vulnerabilities by performing the following steps:
|
|
|
|
|
|
7\.1. Update software and/or dependencies based on recommendations
|
... | ... | |