Discovery of a security issue

When a potential security vulnerability is discovered, we take the following steps:

  1. Triage the issue and write a story
  2. Estimate severity
  3. Assign resources

Triage the issue and write a story

Whenever a potential security vulnerability is discovered by a team member, we triage the issue. This involves investigating the potential scope of the problem, what may have caused it, and whether or not it may have been exploited. With this information we create a story in Asana. After the story is created, it may be assigned to the appropriate individual(s) for additional triage.

Estimate severity

We are influenced by the OWASP Risk Rating Methodology.

We assign three levels of severity:

Assign resources

In general security issues are assigned resources similarly to how we assign resources for bugs. However, we use time-based thresholds to ensure that all security issues are resolved within a reasonable amount of time given the severity of the issue. High severity issues must be fixed (significantly) more quickly than Medium severity issues. Medium severity issues must be fixed more quickly than Low severity issues.

Pro-active measures

In addition to resolving security issues as they are resolved, we also take several steps to increase our security.

  1. We regularly have 3rd-parties pentest our systems to search for potential security issues.
  2. We run Red/Blue games to raise awareness of security issues and provide opportunities for practice implementing security policies.
  3. We plan Security Epics to tackle larger changes to our architectures to improve security.