Orgvue Vulnerability Management

Owned by Paul Coleman
Last updated: 11 Nov 2022
1 min read

What is the process for vulnerability management?

Qualys Cloud Agent and Amazon Inspector are installed on all EC2 VM instances. Vulnerability scans are continuous via Qualys Cloud Agent. These scans are formally reviewed at least weekly by the Information Security team and include web application scanning in combination with OS level scans. The Qualys Cloud Agent solution is implemented across the Orgvue organization, including the Orgvue AWS, corporate server and workstation environments, providing near real-time vulnerability information.

Container vulnerability management is implemented on build via JFrog Xray. AWS ECR image scanning runs daily, providing static scanning for container images.

How soon are security updates and patches applied?

Operating System security updates are applied within two weeks of vendor release and applied consistently throughout the Orgvue server environment through an automated build process.

Are penetration (pen) tests completed for Orgvue?

Orgvue completes at least annual web application penetration testing for Orgvue using independent CREST accredited resources. The executive summary reports of these tests are available to customers on request.

Can Orgvue penetration (pen) test reports be shared with customers?

Yes we will share the executive summary of penetration test reports. We will not share the full report due to the confidential nature of the pen test findings. Pen test reports detail exactly which findings were discovered and how these findings may be exploited. While we actively fix these findings, we want to protect this information to prevent it from falling into the wrong hands. The executive summary reports can be shared under NDA with our customers. The Orgvue Information Security team manages the distribution of these reports to customers.