# Vulnerability Management Our security team performs automated and manual application and infrastructure security testing to identify and patch potential security vulnerabilities and bugs on a regular basis. We also engage independent service providers to perform external penetration tests to assess the potential system security threats on an annual basis. Remediation activities against discovered vulnerabilities are performed in a timely manner to enable the pen test provider to retest and verify that the issues are fixed. ### Change Management A formal Change Management Policy has been defined by the Mago Engineering team to ensure that all application changes have been authorised prior to implementation into the production environments. Source code changes are initiated by developers that would like to make an enhancement to the Mago application or service. All changes are stored in a version control system and are required to go through automated Quality Assurance (QA) testing procedures and manual code review to verify that security requirements are met. Successful completion of QA procedures leads to implementation of the change. All QA-approved changes are automatically implemented in the production environment. Our software development lifecycle (SDLC) requires adherence to secure coding guidelines, as well as screening of code changes for potential security issues via our QA and manual review processes. All changes released into production are logged and archived, and alerts are sent to the Mago Engineering team management automatically. Changes to the Mago production environment are restricted to authorised personnel only. The Mago Security team is responsible for maintaining infrastructure security and ensuring that server, firewall, and other security-related configurations are kept up-to-date with industry standards. Firewall rule sets and individuals with access to production servers are reviewed on a periodic basis. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kb.mago.io/tech-docs/security/vulnerability-management.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.