Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Tidepool intends to complete a formal penetration test from a verified third party service in 2023.

Vulnerability testing

As part of the shared responsibility model of cloud, Tidepool relies on and contracts with AWS to perform ongoing security vulnerability and penetration testing against the infrastructure services it provides to Tidepool (Compute, Storage, Database, Networking, Security, Access Management, Logging, and elastic and redundant resources).

Within the shared responsibility model, Tidepool is responsible for our own secure implementation - secure configuration of rules and policies, ensuring access control and network security rules are applied properly, storage permissions and audiences assigned and restricted appropriately, logging and auditing, and implementing the correct server and client security controls to protect data at rest and in motion.

Vulnerability scanning

Tidepool uses several tools for scanning software and systems to detect vulnerabilities that could be introduced indirectly through use of 3rd party libraries.

Tidepool servers and software deployments are evaluated continuously for Operating System and supporting software updates using Continuous Integration and Deployment processes, allowing us to test each deployment for software vulnerabilities.

Infrastructure and services are monitored for anomalies and changes and reported on by AWS security tools and third-party security risk modeling and aggregation tools like JupiterOne to help us track, audit, and maintain our security posture over time.

These tools include:

Scan remediation process

When a security vulnerability is identified during an automated or manual scan:

  • A new security Jira issue is opened to track the vulnerabilities found: 

    • via automation during scanning

    • by the Tidepool Security Engineer (if it is reported directly, identified internally or from Open-Source Security research)

    • reported via other tooling

  • Vulnerability is validated by Tidepool Software Engineers and/or Tidepool Security Engineer

  • A new source code pull request is opened in GitHub if the issue is code or infrastructure-as-code.

  • Fix is reviewed and approved by Tidepool Software Engineers. 

  • Fix is deployed via automation to a development environment for verification and testing.

  • Fix is reviewed and approved by VP of Engineering before being deployed via automation to Production.

  • Tidepool Security engineer verifies remediation manually if cannot be verified via automated test.

Security patch process

Tidepool's software is typically updated multiple times per week—though some components are updated less frequently.

Urgent patches, though extremely rare, can be tested and deployed within minutes using GitOps, Terraform, and CloudFormation.

Responsible disclosure policy and penetration testing

Tidepool runs a Responsible Disclosure Program. Under this program, outside security researchers test Tidepool on a continuous, ongoing basis. We offer bug bounties for unique bugs to partner with open source security researchers.

Vulnerability notification

Vulnerabilities will be reported to users of the Tidepool platform and administrative contacts at participating health systems if they impact use.

  • No labels