Recognizing that Theatre Manager is a point of sale system that manages sensitive information that includes credit card data, it is important that the developers keep abreast of new and developing threats. The following sources are examples of web sites that developers are expected to read periodically and share any findings with the rest of the teams.
If any site reports a threat that may affect security, a project will be created in Fogbugz to deal with testing where it impacts Theatre Manager.
- postgresql Always check for the current production version of postgres and see if there is a new release. Releases typically are about once per quarter. When there is a new version, then make sure to read the release notes to see if there are
- bug fixes beneficial to Arts Management
- and fix that specifies some security vulnerability
- Developers are always expected to be at the latest release for testing
- Nginx. The web server processes are dependant upon Nginx and PCI compliance scans generally identify old or outdated versions of Nginx. Check monthly to see if there are any new stable releases available. We do not use Alpha or Beta releases of Nginx, only mainline releases.
- Omnis Studio Check for an new releases or patches to the devlopment tool. Of special interest are bug fixes and/or any release that implements additional security in other areas like TLS, etc.
- macnn is a newsnet style mac based web site. It can usually be relied upon to report both mac and PC news (especially if it is negative)
- Credit Card processors such as
- OWASP - to review emerging internet vulnerabilities at least semi annually.
- per PCI requirement 2.2, periodically check NIST for reported security vulnerabilities and record pertinent ones in the vulnerability assessment for each component we use.