Vulnerability Management

**Tags:** #Process #OPSEC #VulnerabilityManagement > [!info] > This information is shared as part of Decombine's commitment to [[Open Core]] practices. ## Managed Employee and contractor devices #### Scanning and Monitoring Mobile device scanning and monitoring is executed by Windows Defender on Windows 11 Enterprise and third party tools on other operating systems. ### Mobile Devices Decombine uses Intune mobile device management (MDM) to monitor, manage, and maintain its security posture on end user devices accessing Decombine corporate resources. The following policies are enforced: - Automatic security updates - Device encryption of corporate applications and data - Remote wipe of corporate data ### Operating Systems Decombine uses the following operating systems: - Windows 11 Enterprise ## Infrastructure #### Scanning and Monitoring Backend infrastructure is monitored using Microsoft Defender for Cloud, which continuously monitors and scans resources for security findings. ### Backend Infrastructure Decombine operates all of its services on Kubernetes or PaaS. Kubernetes is a container host management ecosystem. Decombine uses Azure Kubernetes Service (AKS) as its current and sole operational platform. #### Operating Systems ##### Kubernetes Hosts Decombine uses the latest Ubuntu as its default operating system for Kubernetes node agent pools. AKS Hosts security updates are applied automatically and immediately by Microsoft as the underlying services provider. ##### Kubernetes Versioning Decombine follows a schedule of using only the latest Generally Available (GA) version of Kubernetes (referred to as *N*) or *N*-1 (the previous version behind the latest). This may involve leveraging a *Preview* version of software. Preview Terms and Conditions can be found at [Preview Terms Of Use | Microsoft Azure](https://azure.microsoft.com/en-us/support/legal/preview-supplemental-terms/). Furthermore, we apply an automatic upgrade schedule through a "rapid" release cycle. Details on the automatic upgrade schedule can be found [here](https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-cluster). ##### Patching Schedules **Host OS**: Daily **Host images**: Daily **Kubernetes Host version**: Automatic upgrade to latest on release ###### AKS Host Software Packages The current software manifest for packages on each AKS host can be found [here]([AgentBaker/latest.txt at master · Azure/AgentBaker · GitHub](https://github.com/Azure/AgentBaker/blob/master/vhdbuilder/release-notes/AKSCBLMariner/gen2/latest.txt). Packages are published by [https://packages.microsoft.com/](https://packages.microsoft.com/) and signed by the vendor. ##### Container Images Decombine uses a wide variety of container images to automate and deliver services. We standardize on a number of base container images to more effectively manage updating, hardening, and signing baseline images. Decombine uses the following container images for base layers: - Azure Linux (nightly) - Debian 11 (slim) **Image Authenticity** Decombine signs its container images during the build process using public key infrastructure. Images are then validated for appropriate signature verification during release. Details for the signature process can be found [here](https://github.com/notaryproject/notaryproject).