Vulnerability Scanning and Patch Management Guide
Introduction
This guide is designed to ensure that all IT systems and services developed, procured or operated by or on behalf of the Ministry of Justice (MoJ) have regular patching and maintain secure configuration. The document will provide steps to ensure that privileged users are able to patch systems effectively and according to the Service Level Agreements in the Patch Management guide to reduce risks to IT systems. Unpatched vulnerabilities can be a major risk factor in organisations being compromised by threat actors. This page is the first in a series of three pages about vulnerability scanning and patch management within the MoJ.
Who is this for?
This guide is aimed at two audiences:
- The in-house MoJ Digital and Technology staff who are responsible for implementing controls throughout technical design, development, system integration and operation. This includes DevOps, Software Developers, Technical Architects and Service Owners. It also includes Incident Managers from the Event, Problem, Incident and CSI (EPIC) Team.
- Any other MoJ business group, agency, contractor, IT supplier and partner who in any way designs, develops or supplies services (including processing, transmitting and storing data) for, or on behalf of, the MoJ.
Related guides
Further guidance on vulnerability scanning and patch management can be found in the following guides:
- The Vulnerability Scanning Guide explains the scanning requirements for the MoJ systems.
- The Patch Management Guide explains the patching requirements for the MoJ.
The base principles
All systems and applications must be scanned using commodity tooling for known vulnerabilities such as, but not limited to, OWASP Top 10 application issues.
Any issues found must be proportionally considered for remediation prior to progression into production.
‘In-house’ applications must be scanned for vulnerabilities during development. Normally this scanning would be automatic rather than requiring manual invocation.
The scanning must include build pipelines.
It must not be possible to release to production without a record of a current vulnerability scan, and associated mitigations or documented exemptions.
Tools such as OWASP ZAP may be useful in enabling automated scanning of applications.
What is covered?
Vulnerability scanning is the identification of potential vulnerabilities within an organisation’s network and devices including its firewalls, routers, switches, servers and applications. It is an automated process and focuses on finding potential or known vulnerabilities which could be exploited by threat actors.
Patching is the application of a vendor-supplied or in-house developed security patch or fix to a known vulnerability. Patching can also refer to other ways of achieving the same goal, for example:
- Virtual patches.
- Removal of vulnerable services or functionality.
- Disabling and preventing access.
Patching may include recompiling applications to incorporate security updates. Patch updates may also be held in third party or other code libraries so you may need to locate these and update them.
All assets must be scanned and patched. The following assets are explicitly covered by this guide:
- Internet facing websites: Any open internet-facing websites operated by the MoJ.
- End user client devices: An end user client device is one that is normally used by a single person - the user. The device does not supply services to other users. Example devices include desktop PCs, laptops, tablets and mobile phones. If an end user device provides a service (for example, running a web server on a mobile phone), then it is considered to be an infrastructure device and is therefore subject to the same security requirements as infrastructure devices.
- Infrastructure devices: Devices that form part of the infrastructure of MoJ systems and services. Examples include edge firewalls, routers, networking equipment, servers and printers.
- Digital services: Any services provided by or operated on behalf of the MoJ digital services. Many services make use of third-party software libraries and imported code.
- Applications: All applications hosted on MoJ servers, external servers or on a cloud platform such as database services.
If you have a query about any assets not explicitly covered in this guide, please contact the Cyber Assistance Team.
Minimum software requirements
To meet the minimum requirements of this guide, all software used by the MoJ must be:
- Fully compliant with applicable Licenses and Terms of Use.
- Supported by applicable supplier packages (but refer to the following note).
- Removed from devices when no longer licensed or supported (subject to the change management approach).
- Capable of being patched in a suitably prompt fashion when security updates are made available, according to the severity of the vulnerability. Indicative timescales for the different vulnerability levels are provided in the Patching Schedule section of the Patch Management Guide.
Note: Commercial software will normally have support packages identified and agreed as part of the purchase (acquisition) and deployment process. Open Source software would not always have associated support packages. The decision to use a given software tool in a project or service must take into account what support packages are available to ensure that the tool remains viable and secure for the lifetime of the project or service. If a support package is not available - for example with Open Source software - then a risk evaluation must be performed to understand the business implications if the tool becomes unavailable or unsafe to use.
Cyber Security Advice
Cyber Consultants and Risk Advisors
- Email: security@justice.gov.uk
- Slack:
#security
Feedback
If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.