Esprida Secure Design Practices
IoT security, confidentiality, integrity, and application availability are vital to of smart, connected product. Esprida addresses security threats not only with leading-edge features but also with our internal design and engineering practices.
This article will describe how we’ve incorporated security into our internal development practices.
The engineering team completes security training every year and new team members complete security training as part of the onboarding process. The engineering and support managers and review latest notices from industry security watchdogs. This approach ensures that the team is aware of the security vulnerabilities.
To ensure that security is maintained throughout the entire lifecycle of the LiveIntersect Platform™, security testing is performed regularly and systematically. Vulnerability scans are conducted on all major software releases to ensure that software components remain secure. All third-party and open source components used in the LiveIntersect architecture are selected based on their stability and industry support.
Secure Code Development Process
Esprida software development process follows the Open Web Application Security Project (OWASP) standards for building secure applications, including a mandatory security review for major releases. The Esprida software development cycle includes code review, as well as integration and regression testing prior to release.
New application features within the LiveIntersect platform are designed to be backward compatible. New features are outlined in product documentation and are reviewed prior to deployment to customers.
Esprida follows a systematic change management process designed to enable reliable system updates and avoiding customer disruptions. All versions are thoroughly reviewed, tested, approved, and proactively communicated. Version updates are deployed into production in a phased process, starting with the areas of least impact. On occasion, emergency changes to production systems may require deviations from standard change management procedures. These occasions are associated with an incident, and are logged, approved, and communicated.
Esprida development team centrally manages the release management process, using the same process for software patches and upgrades. All new functionality, enhancements, and bugs are reported in a central ticketing system. Each ticket provides a description of the software components to be changed or built, the detailed description of the new functionality, the engineering resource responsible for the work, the estimated effort, and the targeted release version. All code is change-controlled in a central repository. Once a code change is approved for promotion into a release version, the enhancement, feature, or bug fix undergo functional, and regression testing. If the new code does not pass testing, bugs are reported and fixed. Upon passing all tests, the enhancement, feature, or bug fix is approved for release and included in the next scheduled production release. Each production release is assigned a version number for reference by customers and the Support team.
Network and infrastructure changes
All changes to Esprida network and server infrastructure are authorized, logged, tested, approved, and documented in accordance with industry best practices. Esprida proactively alerts customers of any planned system maintenance based on the Maintenance and Upgrade process.
Security Reviews and Audits
Internal vulnerability and penetration testing – The Esprida engineering team performs vulnerability and penetration testing for every new application version, using open-source and commercial testing tools such as Burp. A version is not released until all identified vulnerabilities are corrected and the version successful passes all security testing.
Third-party vulnerability testing
Esprida can engage with third-party security experts on request to perform additional testing and security audits. These testing cycles may source code review, software vulnerability testing, and penetration testing. Any vulnerabilities identified in these testing cycles are immediately corrected.
Every tier of the LiveIntersect platform, from the network to the database servers, can have additional processing resources added without service interruption.
- Every tier has surplus standby processing capacity
- System performance is designed to scale linearly with the addition of further resources
- Additional computing resources are scaled up when needed.
- Application-server clusters ensure that individual servers can fail and traffic can be switched over to other servers.