Vulnerability Scanning Policy

1. Vulnerability Scanning Policy

a. Objective

To identify and remediate vulnerabilities in employee and contractor machines (e.g., laptops) and production assets (e.g., server instances) to protect against security threats, even though the application is hosted on Heroku and codebase is in Github, DAFshare regularly checks antivirus state in employees machines and has a strict policy against unnecessary software and security patches implementation.

b. Scope

This policy applies to all devices and systems within the corporate network, including employee laptops, developer machines, and production servers.

2. Vulnerability Scanning Procedures

a. Employee and Server Instances

Patch Management
- DAFshare implements an automated patch management system using Heroku so that all the Database and OS security patches are automatically applied when available.
Remote Workers
- DAFshare uses a Heroku shell for connecting the instances whenever necessary, and that access is behined the secure logins, for most uses Heroku's own secure management portal is enough for server access.
- DAFshare uses Heroku runtime instances for deployment of the site using the Github CI/CD framework, using only the required frameworks and apps for the website.
User Training
- DAFshare provides training for employees and contractors on the importance of regular updates and how to recognize potential security threats, also make sure to update the antivirus on all employees machines automatically.

b. Production Assets

Tool Selection
- DAFshare uses AWS Inspector for scanning server instances and other production assets like AVG to scan the laptops.
Automated Scanning
- DAFshare schedules automated vulnerability scans for all production servers and cloud instances, and ensures scans are performed during low-traffic periods to minimize impact on performance.
Continuous Monitoring
- DAFshare implements continuous monitoring solutions to detect vulnerabilities in real-time and respond quickly to new threats.
Patch Management
- Since the application is being run on Heroku’s managed environment so all the DB and OS patches are automatically applied, DAFshare performs regular patching cycles and ensure critical patches are applied as soon as possible.
Change Management
- DAFshare integrates vulnerability scanning and patch management into the change management process to ensure that updates are tracked and documented.
- DAFshare tests patches in a staging environment before applying them to production systems to avoid disruptions.

3. Reporting and Remediation

Vulnerability Reports
- DAFshare generates detailed vulnerability reports after each scan, highlighting critical and high-risk vulnerabilities.
- DAFshare distributes reports to relevant stakeholders, including IT and security teams.
Remediation Plans
- DAFshare develops remediation plans for identified vulnerabilities, and prioritizes remediation efforts based on the severity and potential impact.
- DAFshare assigns responsibilities to specific team members for addressing each vulnerability.
Verification
- After applying patches and updates, DAFshare conducts follow-up scans to verify that vulnerabilities have been successfully remediated.
- DAFshare maintains logs and records of all scans, identified vulnerabilities, and remediation actions.

4. Compliance and Audits

Regulatory Compliance
- DAFshare ensures that vulnerability scanning and patch management practices comply with relevant regulations and industry standards, such as GDPR, PCI-DSS, and HIPAA.
Regular Audits
- DAFshare performs regular security audits to review the effectiveness of vulnerability scanning and patch management processes.
- DAFshare uses audit findings to improve security practices and address any gaps identified.

5. Continuous Improvement