Enterprise Security Assessment > Application and IT Security > Application Security

Does your SDLC include communicating vulnerabilities to a Security Monitoring and Response Group?

book reader icon
1 Minute
11/21/2024
facebook logo gray
linkedin logo gray
mail logo gray

No. As a small LLC, communication of known and un-remediated vulnerabilities of our QR Code platform to all relevant employees, partners or consultants is part of daily business and happens continuously; It need not be a formalized part of our SDLC (secure software development lifecycle).

Remediations usually happen within a short amount of time after becoming known. Security Monitoring and Incident Response fall to management, appropriatly supported by all Constituents in question and in accordance with all applicable internal Policies.

Last update 1 month ago

Has your SDLC Policy been approved by management and communicated to appropriate Constituents?

The Policy has been approved by management but as a small company, communication of our SDLC towards employees or consultants happens during the onboarding phase.

Do you have a formal Incident Response Plan in place?

Yes, but without an escalation matrix. The Incident Response Plan defines actions to be taken in case of information security events.

Have you coordinated all planned responses to business disruptions with your key service providers?

Formal agreements have been established with QR Planet's key service providers and processes developed that coordinate planned responses to business disruptions.

Do you have a Vulnerability Management Policy in place?

QR Planet's vulnerability management policy has been approved by management and was communicated to all appropriate constituents and it has an owner assigned.

Do you perform Network Vulnerability Scans both against internal and internet-facing networks and systems?

Comprehensive Network Vulnerability Scans towards internal and external networks and systems are part of our regular penetration tests.