Risk Register

~~library~~

Risk ID	Description of Risk	Source	Likelihood	Impact	Risk Score ~~(L × I)~~	Current Controls	Planned Mitigation / Treatment	Risk Owner	Status	Review Date
R-~~001~~2025-06-03-01	~~Outdated~~Vulnerable ~~gem~~Rack ~~dependencies~~dependency (~~such as Rack and Nokogiri)~~2.2.13) could ~~contain~~enable ~~known~~request-handling ~~vulnerabilities~~issues; ~~leading~~mitigated by upgrading to ~~remote~~2.2.17 ~~code~~in ~~execution~~commit or denial‑of‑service. In June and April 2025 the team performed security‑driven upgrades to Rack and Nokogiri:contentReference[oaicite:0]{index=0}:contentReference[oaicite:1]{index=1}, showing the ongoing risk if packages lag behind.`28b6cd3`	~~Third‑party~~Code ~~Ruby gems~~commit	Medium	High	126	~~Automated~~Staging validation; management approval; Azure Defender; MFA; log reviews	Continue monthly dependency ~~monitoring~~checks (~~e.g.~~`bundle Dependabot)outdated`), ~~and~~quarterly ~~regular~~vulnerability ~~patching; version control ensures traceability.~~scans	~~Implement~~Tim ~~continuous vulnerability scanning and schedule quarterly reviews of dependencies; update gems promptly when advisories are released.~~Pollard	~~CTO~~Mitigated (2025-06-03)	~~Open~~	~~2025‑06‑02~~2025-09-03
R-~~002~~2025-04-08-01	~~Vulnerabilities~~Outdated inNokogiri ~~client‑side~~(1.18.3→1.18.7) ~~library~~and `jquery-ui-rails`Rack (2.2.11→2.2.13) may expose ~~the~~parsing/request ~~application~~risks; upgraded in commit `c64ce9b`	Code commit	Medium	High	6	Staging validation; management approval; Azure Defender; MFA	Maintain monthly checks; track Nokogiri/Rack advisories; quarterly vuln scans	Tim Pollard	Mitigated (2025-04-08)	2025-07-08
R-2025-03-04-01	Multiple gem security patches (cgi 0.3.6→0.3.7, date 3.4.0→3.4.1, net-imap 0.4.17→0.4.19, nokogiri 1.18.1→1.18.3, rack 2.2.10→2.2.11, timeout 0.4.1→0.4.3, uri 0.12.2→0.12.4) to ~~cross‑site~~reduce ~~scripting~~exploit orsurface; ~~other~~commit ~~client‑side attacks. A security update was required in February 2025:contentReference[oaicite:2]{index=2}.~~`f3870ae`	~~Third‑party~~Code ~~JavaScript~~commit	Medium	High	6	Staging validation; management approval; Azure Defender; log reviews	Keep monthly dependency audits; document exceptions if deferrals needed	Tim Pollard	Mitigated (2025-03-04)	2025-06-04
R-2025-02-03-01	jquery-ui-rails outdated (6.0.1) with known issues; upgraded to 7.0.0 per issue #132; commit `97ef51a`	Code commit	Medium	Medium	94	~~JavaScript~~Staging ~~security~~validation; ~~scanning~~management ~~and only loading necessary components.~~approval	~~Replace deprecated libraries with maintained alternatives; monitor~~Monitor upstream JS library advisories; ~~maintain~~retire ~~CSP~~legacy ~~headers.~~plugins where possible	~~Development~~Tim ~~team lead~~Pollard	~~Open~~Mitigated (2025-02-03)	~~2025‑02‑~~2025-05-03
R-~~003~~2025-01-10-01	~~Inadequate~~Vulnerable ~~sanitization~~rails-html-sanitizer/loofah ~~due~~and toNokogiri ~~vulnerabilities~~versions incould `enable XSS via unsafe markup; upgraded (loofah 2.23.1→2.24.0, rails-html-sanitizer` /1.6.0→1.6.2, nokogiri 1.16.7→1.18.1); commit `loofah841b5ab` ~~could allow injection attacks. The gem needed a security patch in January 2025:contentReference[oaicite:3]{index=3}.~~	~~Application~~Code ~~framework / library~~commit	~~Low~~Medium	High	86	~~Use framework‑provided sanitization and input~~Staging validation; ~~apply~~management ~~security~~approval; ~~updates.~~secure coding standards	~~Conduct~~Continue ~~code~~monthly ~~reviews~~audits; ~~focused~~add onquarterly ~~input~~targeted ~~sanitization;~~XSS ~~integrate dynamic application security testing (DAST); schedule next review for sanitizer libraries.~~tests	~~Security~~Tim ~~manager~~Pollard	~~Open~~Mitigated (2025-01-10)	~~2025‑01‑09~~2025-04-10