Aspose Vulnerability Management Policy
1. Introduction
Aspose Pty Ltd (Aspose) is a market-leading software development company that offers APIs for creating, editing, converting, and rendering various file formats such as Office, OpenOffice, PDF, Images, and CAD. Our APIs support multiple platforms, including .NET, Java, C++, Python, PHP, and Android.
Aspose follows a comprehensive vulnerability management strategy to protect its software products and services. This policy defines the roles, responsibilities, and standards for identifying, assessing, managing, and remediating vulnerabilities across all Aspose products. It establishes protocols that all Aspose personnel involved in software development, testing, and deployment must adhere to, supporting a proactive and systematic approach to risk management.
2. Purpose
The purpose of this policy is to establish a structured and effective approach to managing vulnerabilities within Aspose’s software products. This policy aims to ensure timely identification, assessment, and mitigation of security risks, safeguarding the security and integrity of Aspose’s offerings and protecting customers’ data and privacy.
3. Scope
This policy applies to all software products and services developed, tested, or deployed by Aspose. It covers Aspose employees, contractors, and partners involved in any aspect of software development, testing, or deployment, including protocols for vulnerability identification, assessment, remediation, and reporting.
4. Roles and Responsibilities
4.1. IT Infrastructure and Security Team
Responsible for monitoring, assessing, and managing vulnerabilities in Aspose products. This includes tracking identified issues, ensuring timely remediation, and coordinating the release of security patches.
4.2. Development Teams
Responsible for following secure coding standards, fixing vulnerabilities identified in their code, and collaborating with QA to test these fixes.
4.3. Quality Assurance (QA) Team
Responsible for testing patches and updates for known vulnerabilities and verifying that security standards are met before release.
4.4. Sales Team and Technical Support Team
Acts as the first point of contact for customer-reported vulnerabilities, alerts the relevant teams, and ensures that vulnerabilities are resolved in a timely manner. Communicates vulnerability resolution status to customers when necessary.
4.5. Executive Management
- Approve and oversee the implementation of the policies.
- Allocate resources to support security initiatives, training, and technology upgrades.
- Promote a culture of security awareness and accountability across the organization.
5. Vulnerability Identification and Assessment
Vulnerability Scanning: Aspose uses automated vulnerability scanning tools, specifically SONARQube, for each software release (monthly) to assess code for OWASP Top 10, SANS Top 25, and CWE security issues.
Code Review: All code is subject to regular code reviews and secure coding practices to minimize potential vulnerabilities. Code is analyzed against OWASP and SANS standards.
Third-Party Vulnerabilities: Aspose products may include third-party components, primarily native C++ libraries ported to C#. Customer-reported issues with these third-party components are reviewed and assessed, though they may sometimes trigger false positives in scanning tools.
6. Vulnerability Prioritization and Risk Assessment
Severity Rating: Vulnerabilities are classified as Critical, High, Medium, or Low based on their impact and exploitability. Critical vulnerabilities are prioritized for action and patching.
Risk Assessment: Vulnerabilities are assessed based on risk factors, including potential impact on product security, data protection, and customer safety. This prioritization informs the remediation process and timelines.
7. Remediation and Mitigation, Patch Management
Aspose follows a structured approach to patch management to ensure vulnerabilities are addressed in a timely manner while minimizing disruption:
Patch Management and Testing: For critical issues, patches are developed and tested by the Development and QA teams. Patches for critical issues are released as quickly as possible, either as hotfixes or as part of the next scheduled release.
Update Distribution: Updates and patches are distributed via NuGet, PyPI, NPM, Packagist, and Aspose’s official website. Customers are informed about updates through release notes and direct download links.
Temporary Mitigations: If patching is not feasible, temporary mitigation measures are implemented, such as advising customers on configuration changes or security practices until a patch is available.
Testing and Rollback Procedures: All patches are tested in a controlled environment before deployment to ensure stability and compatibility. If a patch causes issues, a rollback plan is implemented to restore systems to a stable state.
Frequency and Prioritization of Patching:
- Critical patches are applied within 7 days of identification.
- High and Medium severity patches are addressed within 14 days unless risk acceptance is documented.
- Low severity patches are incorporated into scheduled release cycles.
Monitoring and Documentation: Patch results are monitored through automated tools and manual reviews. Completed patches are documented, including applied changes and any corrective actions.
8. Third-Party Library and Dependency Management
Dependency Inventory: Aspose maintains a list of all third-party components in its products. This list is regularly reviewed to ensure prompt updates for any known vulnerabilities.
Customer Reports: Issues reported by customers, especially those using Red or BlackDuck scanners, are reviewed and addressed as needed to correct misidentified vulnerabilities.
9. Remote Access Security and Endpoint Management
Endpoint Security: All employees working remotely must ensure that their devices are secure, with up-to-date antivirus protection, operating system updates, and firewalls enabled.
Secure Access: Access to Aspose’s systems requires multi-factor authentication and secure VPN connections to prevent unauthorized access to source code or sensitive information.
10. Incident Identification, Containment, and Resolution
Aspose follows a structured incident response process to manage vulnerabilities that are actively exploited or pose a significant threat:
-
Classification of Incidents:
-
Critical –Containment and mitigation within 7 days.
-
High – Containment and mitigation within 14 days.
-
Medium – Resolution within 14 days.
-
Low – Resolution in a scheduled release.
-
Containment and Mitigation: If an incident is classified as Critical or High, steps are taken to contain the threat, such as isolating affected systems or disabling compromised components.
-
Root Cause Analysis and Follow-Up: Following containment, a root cause analysis is conducted to identify underlying causes and prevent recurrence.
-
Post-Incident Reviews and Documentation: All incidents are logged in the incident management system, with findings used to improve future response strategies.
-
Lessons Learned and Corrective Actions: Corrective actions and recommendations are incorporated into development and security processes to enhance future resilience.
-
Alignment with Risk Management and Business Continuity Policies: The incident response framework is aligned with Aspose’s broader risk management and business continuity strategies to ensure consistent handling of incidents.
10.1 Penetration Testing and Vulnerability Reports
Aspose conducts regular penetration testing to identify security gaps and ensure compliance with security standards:
Frequency of Penetration Testing:
- Internal penetration testing is conducted annually. This can change based on risk assessment
- External penetration testing is conducted annually. This can change based on risk assessment
- Tests focus on both application and infrastructure vulnerabilities.
Handling of Findings and Remediation
- Identified issues are classified by severity and addressed according to the vulnerability prioritization policy.
- Critical findings are remediated within 7 days; High and Medium findings within 14 days.
SonarQube Reports:
- SonarQube is used to conduct continuous scanning of source code.
- Reports are reviewed monthly or per release to identify emerging vulnerabilities and trends.
- SonarQube findings are triaged and assigned based on severity to align with the broader incident classification system
- All remediation actions are logged and tracked in the internal reporting system.
- Products are not released with known vulnerabilities existing.
11. Monitoring, Reporting, and Documentation
Ongoing Monitoring: Continuous monitoring for potential vulnerabilities is conducted through SONARQube and regular review against industry standards.
External Monitoring: Aspose subscribes to market leading security reporting websites such as nvd.nist.gov and cvs.mitre.org.
Internal Reporting: For any detected vulnerabilities, a ticket is created and prioritized within the development team. Status updates are documented and tracked. For Critical issues, a company wide notification will be made.
Customer Reporting: Blog posts sharing the issues and resolutions in detail. Our Customer Support Forums where we will also share the issues and resolutions. Release notes, made available to customers, contain details of resolved vulnerabilities for each new release. This documentation ensures that customers are informed about security improvements and updates.
Direct Customer Contact: For Critical issues, Aspose will endeavor to contact customers directly to alert them to the need for potential action.
12. Legal and Regulatory Compliance
Aspose is committed to complying with all applicable legal, regulatory, and industry requirements related to this policy. Where specific regulations or standards apply, Aspose will ensure alignment to protect customer data, meet business obligations, and maintain operational integrity.
Aspose’s vulnerability management practices are aligned with its Business Continuity Policy and Third-Party Risk Management Policy to ensure a consistent and compliant approach to managing security incidents and vulnerabilities.
12.1. Compliance Principles
- Adherence: Aspose follows all relevant legal and regulatory requirements applicable to its operations and systems.
- Alignment with Standards: While Aspose may not hold formal certifications, it aligns its practices with recognized industry frameworks and best practices to ensure compliance.
12.2. Ongoing Compliance Monitoring
Aspose regularly reviews its internal processes, policies, and product offerings to ensure ongoing compliance with relevant laws and industry standards.
Compliance audits and reviews are conducted periodically to ensure the effectiveness of security and privacy controls.
13. Employee Training and Security Awareness
Aspose ensures that all employees are well-prepared to identify, report, and address vulnerabilities across its products. Training programs are designed to support a proactive and security-conscious approach to vulnerability management.
13.1. Security Training Programs
- Onboarding Training: All new employees are introduced to the principles of vulnerability management, including secure coding practices, identifying potential risks, and reporting procedures.
- Ongoing Awareness: Regular sessions and updates ensure employees remain informed about vulnerability-related processes, emerging security risks, and mitigation strategies.
13.2. Security Role-Specific Training
Certain employees in key roles receive specialized training to fulfill their responsibilities effectively:
- Developers: Training on secure coding practices and vulnerability remediation using guidelines such as OWASP.
- Quality Assurance (QA) Team: Training to test and validate patches, identify vulnerabilities, and ensure secure release processes.
- IT Infrastructure and Security Team: Advanced training on vulnerability scanning tools (e.g., SONARQube), risk prioritization, and incident response processes.
- Sales Team and Technical Support Team: Guidance on identifying and reporting customer-reported vulnerabilities and escalating them to relevant teams.
13.3. Vulnerability-Conscious Culture
Aspose fosters a culture where vulnerability management is a shared responsibility. This includes:
- Regular communication on the importance of identifying and addressing vulnerabilities.
- Encouraging employees to report potential issues promptly through clear, secure reporting channels.
- Reinforcing leadership’s commitment to secure software development and vulnerability mitigation.
13.4. Continuous Improvement
Employee feedback on training programs is actively encouraged to ensure relevance and effectiveness.
Post-Incident Debriefing: Following vulnerability-related incidents, teams participate in debriefing sessions to analyze root causes and identify improvements in training or processes.
14. Policy Compliance and Enforcement
To ensure the effectiveness of vulnerability management, compliance with this policy is mandatory for all employees, contractors, and third-party partners.
14.1. Vulnerability Management Policy Compliance
Mandatory Adherence: All personnel must follow the Vulnerability Management Policy, including timely identification, reporting, and remediation of vulnerabilities.
Policy Acknowledgment: Employees must formally acknowledge their responsibilities regarding vulnerability management upon onboarding and whenever significant policy updates occur.
Periodic Reviews and Updates: This policy will be reviewed regularly to ensure alignment with evolving industry standards, security threats, and business needs. Stakeholders will be notified of updates, and retraining will be conducted as needed.
14.2. Monitoring and Auditing
Vulnerability Reviews: Regular audits and assessments will ensure vulnerabilities are identified, prioritized, and remediated in line with the policy.
Automated Monitoring: Automated tools, such as SONARQube and other vulnerability scanning solutions, continuously monitor code and systems for new vulnerabilities.
Self-Assessments: Development and IT teams are encouraged to regularly assess their processes and systems to identify potential gaps and ensure adherence to secure coding practices.
14.3. Non-Compliance Consequences
Violation of Policy: Non-compliance with the Vulnerability Management Policy will result in disciplinary actions, including but not limited to::
- Corrective Actions: Retraining, formal warnings, or additional oversight of development and patching processes.
- Access Restrictions: Temporary or permanent restrictions on access to development tools and systems if misuse or negligence is identified.
- Termination: Severe or repeated policy violations may result in termination of employment or contractual relationships..
- Legal Action: Intentional negligence or failure to address critical vulnerabilities that result in breaches may lead to legal consequences.
14.4. Accountability and Enforcement
Incident Management: Vulnerability-related incidents will be managed following incident response protocols, including containment, root cause analysis, and remediation. Unintentional violations due to lack of understanding will prioritize retraining.
Disciplinary Process: Team Leads and IT Security teams will investigate non-compliance incidents and determine appropriate corrective actions.
Escalation Procedures: Critical breaches, repeated non-compliance, or delays in addressing vulnerabilities will be escalated to senior management for review and further action.
14.5. Continuous Improvement
Feedback Loop: Aspose encourages feedback from employees and stakeholders to continuously enhance the Vulnerability Management Policy and associated processes. Regular reviews help identify gaps, improve vulnerability identification, and streamline remediation efforts.
Training and Awareness: Non-compliance due to a lack of understanding or awareness will be addressed through enhanced training programs and updated communication channels to ensure all employees are fully aware of their responsibilities under the policy.
15. Periodic Review and Policy Updates
Periodic Review: This Vulnerability Management Policy will be reviewed periodically or as required to address emerging threats, regulatory changes, or Aspose’s evolving operational needs. This ensures the policy remains aligned with current access control best practices and business requirements.
Policy Updates: Updates to the policy will be communicated to all employees, contractors, and relevant stakeholders. Any significant changes will be accompanied by training or guidance to ensure continued adherence to access control principles.
16. Policy Management
Aspose is a privately held company. Our policies are reviewed and maintained by the leadership team to keep them aligned with our business goals and industry standards.
This policy is live and effective as of the Last Updated date at the top of this document. Updates reflect changes in our business practices, customer feedback, and compliance requirements.