diff --git a/docs/60-security/security-vulnerability-management-in-the-kyma-environment-b1b0a64.md b/docs/60-security/security-vulnerability-management-in-the-kyma-environment-b1b0a64.md new file mode 100644 index 00000000..bdf079a1 --- /dev/null +++ b/docs/60-security/security-vulnerability-management-in-the-kyma-environment-b1b0a64.md @@ -0,0 +1,19 @@ + + +# Security Vulnerability Management in the Kyma Environment + +We regularly add patches within each two-week release cycle and employ a vulnerability management process to ensure the security of SAP BTP, Kyma runtime. Within the vulnerability management process, we identify, assess, prioritize, remedy, and monitor vulnerabilities. + +We regularly scan our code and the container images that are part of SAP BTP, Kyma runtime, Kyma Control Plane, and Kyma dashboard for known and potential vulnerabilities. The security scanning technologies in use are: + +- Static Application Security Testing \(SAST\) for the proprietary code +- Open Source Vulnerability Management \(OSVM\) for open-source software that is part of Kyma runtime + +> ### Note: +> We ensure security scans for Kyma runtime and you, as a customer, are responsible for scanning your own workloads added to our offering. For details, read [Operating Model in the Kyma Environment.](../70-getting-support/operating-model-in-the-kyma-environment-862b96b.md) + +The scanning results are constantly monitored and addressed without undue delay. New vulnerabilities are assigned to responsible development teams for remediation. If an update is available, we fix the vulnerability. If not, the vulnerability is subject to further analysis to identify its associated risk and implement appropriate measures. For critical vulnerabilities identified by our security organization, we provide hotfixes between the regular releases. + +> ### Remember: +> We analyze each vulnerability to assess its actual severity in the Kyma environment. Therefore, we may lower the severity score or identify it as false-positive. + diff --git a/docs/index.md b/docs/index.md index 353e1eab..a25a3a1c 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1859,6 +1859,7 @@ - [Auditing and Logging Information in Kyma](60-security/auditing-and-logging-information-in-kyma-935e241.md) - [Configure a Custom Identity Provider for Kyma](60-security/configure-a-custom-identity-provider-for-kyma-67bcc6e.md) - [Distributed Denial-of-Service Protection in Kyma](60-security/distributed-denial-of-service-protection-in-kyma-5e13d59.md) + - [Security Vulnerability Management in the Kyma Environment](60-security/security-vulnerability-management-in-the-kyma-environment-b1b0a64.md) - [Getting Support](70-getting-support/getting-support-5dd7398.md) - [Providing Details for SAP HANA Service Database Problems](70-getting-support/providing-details-for-sap-hana-service-database-problems-75cde53.md) - [Gather Support Information](70-getting-support/gather-support-information-6daa475.md)