Point in Time Audit Results

For point in time results, I am linking to a spreadsheet for now since these are being done manually and complex tables in markdown are difficult to track.

https://docs.google.com/spreadsheets/d/11oH06o19c2jcb14U_HMkFxUgUqA_GYzrItOvZKjnnas/edit#gid=0

Automated Audit Results

Rules about what Results must be documented in the DCR Unmitigated Risks section

Q: Given pentest results with high/med/low severity, what’re the rules about blocking the relevant releases and/or adding to the DCR?

The standard is that High Severity vulnerabilities should be fixed prior to production, or as quickly as possible if in production. Medium severity vulnerabilities should have a remediation plan in place to fix them in the coming months.

The only reason to put a vulnerability in the DCR (High or Medium) would be so that the DCR can be used to track closure on the open vulnerabilities.

—Rick

TLS Certificate Management Overview