For Workload Automation AE, what process does the development team follow to address any vulnerabilities discovered within 3rd-party open-source components used within the WAAE application?
CA Workload Automation AE Secure Software Development Practices
Security vulnerability management is an ongoing process. The CA Workload Automation AE product development operates under internal application security procedures which provide for guidelines and objectives for secure development of CA products. CA’s secure software development lifecycle (SSDLC) practices are generally described on https://communities.ca.com/community/product-vulnerability-response/ca-technologies-secure-software-development-lifecycle-ssdlc. While CA may update such practices from time to time at its sole discretion, and without notice, it will continue to use commercially reasonable efforts to establish and maintain secure software development lifecycle practices consistent with the generally accepted practices within the IT industry.
The development team has been scanning the code using various tools for several years and remediating potentially exploitable vulnerabilities. During this time malicious hackers have identified more advanced ways of exploiting weaknesses in operating environments. Fortunately, the vulnerability scanning tools have improved and continue to do so to keep pace. This has created a somewhat dynamic view of the product state throughout this evolution. Today CA is using industry leading tools such as CA Veracode and IBM® Security AppScan® to identify and manage security vulnerabilities. As further vulnerabilities are identified, remediation efforts are prioritized based on ease of exploitation, potential impact, and effort. The code fixes associated with this effort are generally distributed with regular maintenance without specific advertisement to protect customers running older unpatched releases. In somewhat rare instances, third-parties have identified a high-risk vulnerability which have resulted in published hyper-fixes outside the normal maintenance cycle.
While the development, release and timing of any CA product remains at CA’s sole discretion, CA product development operates under the internal application security procedures, noted above, which provide for guidelines and objectives for secure development of CA products.