Vulnerability testing
As part of the shared responsibility model of cloud, Tidepool relies on and contracts with AWS to perform ongoing security vulnerability and penetration testing against the infrastructure services it provides to Tidepool (Compute, Storage, Database, Networking, Security, Access Management, Logging, and elastic and redundant resources).
Within the shared responsibility model, Tidepool is responsible for our own secure implementation - secure configuration of rules and policies, ensuring access control and network security rules are applied properly, storage permissions and audiences assigned and restricted appropriately, logging and auditing, and implementing the correct server and client security controls to protect data at rest and in motion.
Vulnerability
scanningManagement
Tidepool uses several multiple tools for scanning assessing software, services, and systems applications to detect vulnerabilities that could be introduced indirectly through use of 3rd party librariessoftware supply chain, 3rd-party libraries, incorrect security implementations, and security weaknesses.
Tidepool servers services and software deployments are evaluated continuously for Operating System and supporting software updates using Continuous Integration and Continuous Deployment processes, allowing us to rapidly test each deployment for software vulnerabilities.
Infrastructure and services are monitored for anomalies and changes; they are aggregated and reported on by AWS security tools and third-party security risk modeling and aggregation tools like JupiterOne management systems to help us track, audit, and maintain our security posture over time.
These tools include:
Scan remediation process
When a security vulnerability is identified during an automated or manual scan:
A new security Jira issue is opened to track the vulnerabilities found:
via automation during scanning
by the Tidepool Security Engineer (if it is reported directly, identified internally or from Open-Source Security research)
reported via other tooling
Vulnerability is validated by Tidepool Software Engineers and/or Tidepool Security Engineer
A new source code pull request is opened in GitHub if the issue is code or infrastructure-as-code.
Fix is reviewed and approved by Tidepool Software Engineers.
Fix is deployed via automation to a development environment for verification and testing.
Fix is reviewed and approved by VP of Engineering before being deployed via automation to Production.
Tidepool Security engineer verifies remediation manually if cannot be verified via automated test.
Security patch process
Tidepool's software is typically updated multiple times per week—though some components are updated less frequently.
Urgent patches, though extremely rare, can be tested and deployed within minutes using GitOps, Terraform, and CloudFormationvia automation.
| Note |
|---|
Tidepool prohibits the use of manual patching or configuration. All changes to production services are performed via secure configuration management. |
Responsible disclosure policy and penetration testing
Tidepool runs a Responsible Disclosure Program. Under this program, outside security researchers test Tidepool on a continuous, ongoing basis. We offer bug bounties for unique bugs to partner with open source security researchers.
Vulnerability notification
Vulnerabilities will be reported to users of the Tidepool platform and administrative contacts at participating health systems if they impact use.
| Page Tree |
|---|