Patch Management Documentation
This document describes how Mobile2b manages security vulnerabilities and patches for Google Kubernetes Engine (GKE)
How we identify security gaps
From the very beginning, Mobile2b has paid attention to a strong security design when developing Mobile2b. But even the best software systems can have security gaps. In order to find and patch these security gaps before they can be exploited, we regularly have external security experts carry out penetration tests on all of our subsystems. These so-called “ white hat hackers try to uncover possible vulnerabilities in the system by means of simulated attacks.
By using external experts, we also consistently eliminate any possible “developer bias” in IT security testing.
During development, static code analysis with SonarLint SonarQube TSLint is used continuously within the CI/CD. In addition, vulnerability scans of the generated Docker containers are carried out. This ensures that fixing a security vulnerability does not create a new one.
Classification of security vulnerabilities
Penetration tests play a key role in reducing the impact and likelihood of security vulnerabilities. If vulnerabilities are found in the tests, they are classified into different levels of severity.
The following table describes the severity levels of vulnerabilities:
| Severity | Description |
|---|---|
| High | The high risk level indicates the maximum risk associated with a particular vulnerability. Such a vulnerability can enable an attacker to successfully exploit the underlying application and its data to change the application's behavior so that it no longer corresponds to what it was intended for. |
| Medium | The medium risk level indicates a significant risk associated with a particular vulnerability. Such a vulnerability may enable an attacker to exploit the underlying application and its data to a certain degree, allowing the hacker to gain low-level information about the application. Such information may be used by a hacker to conduct more specific attacks based on the information gathered. |
| Low | The low risk level indicates the lowest risk associated with a particular vulnerability. Such a vulnerability can allow an attacker to obtain important information about the underlying application and its data at an informational level. |
Patch and inform about security vulnerabilities
When patching a security vulnerability, the Mobile2b software must be upgraded.
Mobile2b will be happy to inform customers who request this about such updates by email or in person at appointments. In addition, these customers will also be informed about the test results of a penetration test, including security gaps.
Patch schedules
The goal of Mobile2b is to mitigate identified vulnerabilities within a time frame that is appropriate for the associated risks. The time frame depends on the severity and exploitability of the vulnerability.
High
High-risk vulnerabilities are treated with the highest priority and resolved immediately (max. 1 week after the vulnerability is identified)
Medium
The vulnerability marked "Medium" will be fixed as soon as possible or shortly after the fix for vulnerabilities with "high" risk (max. 3 months after the vulnerability is identified)
Low
A low risk vulnerability will be fixed soon after the high and medium risk vulnerabilities are fixed (in the next release, but at least once a year)
