Risk Register
Last updated: 15 September 2025
| Risk ID | Description of Risk | Source | Likelihood | Impact | Risk Score (L × I) | Current Controls | Planned Mitigation / Treatment | Risk Owner | Status | Review Date | |
|---|---|---|---|---|---|---|---|---|---|---|---|
| R-001 | Outdated gem dependencies (such as Rack and Nokogiri) could contain known vulnerabilities leading to remote code execution or denial‑of‑service. In June and April 2025 the team performed security‑driven upgrades to Rack and Nokogiri:contentReference[oaicite:0]{index=0}:contentReference[oaicite:1]{index=1}, showing the ongoing risk if packages lag behind. | Third‑party Ruby gems | High | Automated dependency monitoring ( |
Implement continuous vulnerability scanning and schedule quarterly reviews of dependencies; update gems promptly when advisories are released. | CTO | Open | ||||
| R-002 | Vulnerabilities in client‑side library jquery-ui-rails may expose the application to cross‑site scripting or other client‑side attacks. A security update was required in February 2025:contentReference[oaicite:2]{index=2}. |
Third‑party JavaScript library | Medium | Medium | 9 | JavaScript security scanning and only loading necessary components. | Replace deprecated libraries with maintained alternatives; monitor upstream advisories; maintain CSP headers. | Development team lead | Open | 2025‑02‑03 | |
| R-003 | Inadequate sanitization due to vulnerabilities in rails-html-sanitizer / loofah could allow injection attacks. The gem needed a security patch in January 2025:contentReference[oaicite:3]{index=3}. |
Application framework / library | Low | High | 8 | Use framework‑provided sanitization and input validation; apply security updates. | Conduct code reviews focused on input sanitization; integrate dynamic application security testing (DAST); schedule next review for sanitizer libraries. | Security manager | Open | 2025‑01‑09 |