Vulnerability Scanning Policy

1. Vulnerability Scanning Policy

a. Objective

To identify and remediate vulnerabilities in employee and contractor machines (e.g., laptops) and production assets (e.g., server instances) to protect against security threats, even though the application is hosted on Heroku and codebase is in Github, Daffeinated regularly checks antivirus state in employees machines and has a strict policy against unnecessary software and security patches implementation.

b. Scope

This policy applies to all devices and systems within the corporate network, including employee laptops, developer machines, and production servers.

2. Vulnerability Scanning Procedures

a. Employee and Server Instances

Patch Management
- Daffeinated implements an automated patch management system using Heroku so that all the Database and OS security patches are automatically applied when available.
Remote Workers
- Daffeinated uses a Heroku shell for connecting the instances whenever necessary, and that access is behined the secure logins, for most uses Heroku's own secure management portal is enough for server access.
- Daffeinated uses Heroku runtime instances for deployment of the site using the Github CI/CD framework, using only the required frameworks and apps for the website.
User Training
- Daffeinated provides training for employees and contractors on the importance of regular updates and how to recognize potential security threats, also make sure to update the antivirus on all employees machines automatically.

b. Production Assets

Tool Selection
- Daffeinated uses AWS Inspector for scanning server instances and other production assets like AVG to scan the laptops.
Automated Scanning
- Daffeinated schedules automated vulnerability scans for all production servers and cloud instances, and ensures scans are performed during low-traffic periods to minimize impact on performance.
Continuous Monitoring
- Daffeinated implements continuous monitoring solutions to detect vulnerabilities in real-time and respond quickly to new threats.
Patch Management
- Since the application is being run on Heroku’s managed environment so all the DB and OS patches are automatically applied, Daffeinated performs regular patching cycles and ensure critical patches are applied as soon as possible.
Change Management
- Daffeinated integrates vulnerability scanning and patch management into the change management process to ensure that updates are tracked and documented.
- Daffeinated tests patches in a staging environment before applying them to production systems to avoid disruptions.

3. Reporting and Remediation

Vulnerability Reports
- Daffeinated generates detailed vulnerability reports after each scan, highlighting critical and high-risk vulnerabilities.
- Daffeinated distributes reports to relevant stakeholders, including IT and security teams.
Remediation Plans
- Daffeinated develops remediation plans for identified vulnerabilities, and prioritizes remediation efforts based on the severity and potential impact.
- Daffeinated assigns responsibilities to specific team members for addressing each vulnerability.
Verification
- After applying patches and updates, Daffeinated conducts follow-up scans to verify that vulnerabilities have been successfully remediated.
- Daffeinated maintains logs and records of all scans, identified vulnerabilities, and remediation actions.

4. Compliance and Audits

Regulatory Compliance
- Daffeinated ensures that vulnerability scanning and patch management practices comply with relevant regulations and industry standards, such as GDPR, PCI-DSS, and HIPAA.
Regular Audits
- Daffeinated performs regular security audits to review the effectiveness of vulnerability scanning and patch management processes.
- Daffeinated uses audit findings to improve security practices and address any gaps identified.

5. Continuous Improvement