Vulnerability Management

Owned by Ben Derr
Last updated: Feb 08, 2024
2 min read

 

Search this space

Vulnerability testing

As part of the shared responsibility model of cloud, Tidepool contracts with AWS to perform ongoing security vulnerability and penetration testing against the infrastructure services it provides to Tidepool (Compute, Storage, Database, Networking, Security, Access Management, Logging, and elastic and redundant resources).

Within the shared responsibility model, Tidepool is responsible for our own secure implementation - secure configuration of rules and policies, ensuring access control and network security rules are applied properly, storage permissions and audiences assigned and restricted appropriately, logging and auditing, and implementing the correct server and client security controls to protect data at rest and in motion.

Vulnerability Management

Tidepool uses multiple tools for assessing software, services, and applications to detect vulnerabilities that could be introduced indirectly through software supply chain, 3rd-party libraries, incorrect security implementations, and security weaknesses.

Tidepool services and software deployments are evaluated continuously for Operating System and supporting software updates using Continuous Integration and Continuous Deployment, allowing us to rapidly test each deployment.

Infrastructure and services are monitored for anomalies and changes; they are aggregated and reported on by security tools and third-party security risk management systems to help us track, audit, and maintain our security posture over time.

Penetration testing

Tidepool engages an external vendor yearly for a Penetration Test against our Production application.

The last Penetration Test occurred July of 2023

Scan remediation process

When a security vulnerability is identified during an automated or manual scan:

  • A new security issue is opened to track the vulnerabilities found: 

    • via automation during scanning.

    • by the Tidepool Security Engineer (if it is reported directly, identified internally or from Open-Source Security research).

    • or if reported via other tooling.

  • Vulnerability is validated by Tidepool Software Engineers and/or Tidepool Security Engineer.

  • A new source code pull request is opened in GitHub if the issue is code or infrastructure-as-code.

  • Fix is reviewed and approved by Tidepool Software Engineers. 

  • Fix is deployed via automation to a development environment for verification and testing.

  • Fix is reviewed and approved by VP of Engineering before being deployed via automation to Production.

  • Tidepool Security Engineer verifies remediation manually if cannot be verified via automated test.

Security patch process

Tidepool's software is typically updated multiple times per week—though some components are updated less frequently.

Urgent patches, though extremely rare, can be tested and deployed within minutes via automation.

Tidepool prohibits the use of manual patching or configuration. All changes to production services are performed via secure configuration management.

Responsible disclosure policy and penetration testing

Tidepool runs a Responsible Disclosure Program. Under this program, outside security researchers test Tidepool on a continuous, ongoing basis. We offer bug bounties for unique bugs to partner with open source security researchers.

Vulnerability notification

Vulnerabilities will be reported to users of the Tidepool platform and administrative contacts at participating health systems if they impact use.

The content of the Tidepool Technical Documentation is licensed under a Creative Commons CC0 1.0 Universal (CC0 1.0) Public Domain Dedication.