Microsoft conducts regular penetration testing to improve Azure security controls and processes. In addition, OnePlan performs our own penetration testing and code scans before and after every production update.
OnePlan undergoes dynamic code analysis using Qualys for web application scanning and network penetration testing. The Security Code Scan extension for Visual Studio is employed for static code analysis.
We follow OWASP standards. As changes are made to our application and / or network settings, we re-scan to verify no issues have been created.
Vulnerabilities shall be patched or remediated in the following timeframes:
| Determined Severity | Remediation Time |
| Critical | 30 Days |
| High | 30 Days |
| Medium | 60 Days |
| Low | 90 Days |
| Informational | As Needed |