At EZtek Software, we make security a part of every step in the development process to keep our code, products, and customers safe. We apply secure development practices throughout the entire lifecycle.
Our development process is backed by application security training and a security knowledge base managed by our security team.
In the design phase, we use methods like threat modeling, design reviews, and an up-to-date library of security standards to ensure we consider the right security needs.
During development, we enforce a peer review process as the first layer of security check. This is followed by automated static analysis (SAST) and manual security testing, both done by our internal teams and third-party experts based on our risk assessment.
We have formal processes for operational readiness and change control, making sure only approved changes go live. After deployment, we use automated vulnerability scanning and a top-tier bug bounty program to continuously monitor the security of our applications. We also measure our products’ security performance over time with a security scorecard system.
Building a Culture of Security
At EZtek Software, we foster a culture of security by empowering our teams with robust security training.
Developer Security Training
We combine in-house content and third-party resources to ensure our development teams have the security knowledge needed to build secure applications. Our training program is continuously reviewed to maintain its effectiveness and adapts to the ever-changing security landscape.
Design Phase
In the design phase, we use threat modeling, design reviews, and a comprehensive security standards library to ensure that the right security measures are considered.
Threat Modeling
We use threat modeling to assess security risks, especially when projects involve complex threats or critical security changes. This process includes a brainstorming session with engineers, security experts, architects, and product managers to identify and prioritize relevant threats. The results are then incorporated into the design process, ensuring the right security controls are in place and guiding subsequent review and testing in later phases of development.
Our threat modeling involves:
- A risk-based approach to decide when threat modeling is necessary
- A mature process with tools and supporting materials
- Training videos and resources to assist software teams with threat modeling
Development Phase
Throughout the development process, we implement various security practices to ensure our code remains secure.
Security Review
The security team conducts security reviews to provide assurance across all software projects at EZtek. A risk-assessment process helps us prioritize areas to focus on, identifying required activities to mitigate project risks. Depending on the risk level, assurance activities may include:
- Design reviews and threat modeling
- Code reviews and security testing
- Independent assurance through expert third-party researchers and consultants
Peer Review
During development, all code undergoes our peer review green build (PRGB) testing process. This requires multiple senior or lead developers to review all commits before they are deployed to production. This is further supported by automated static analysis (SAST) and manual security testing, both by internal teams and external experts based on our risk assessments. The process is also backed by application security training and a security knowledge base managed by the security team.
Separation of Environments
We maintain logical and physical separation between production and non-production (development) environments for all critical services. Our staging environment is logically separated but not physically separated, and it follows production-grade change control and access processes.
At EZtek, security policies prohibit using production data in non-production environments. We have guidelines for handling restricted data, such as personal data, using techniques like anonymization, hashing, and tokenization.
Maintenance Phase
Before pushing code to production, it must pass through formal operational readiness and change control processes.
Once a system is deployed, we conduct regular automated vulnerability scans. Additionally, we maintain an industry-leading bug bounty program, ensuring continuous security assurance through a trusted, crowdsourced group of security researchers.
Security Scorecards
We’ve implemented product security scorecards, an automated system to monitor and assess the security of all our products. These scorecards track a range of security-focused criteria, including vulnerabilities, training coverage, and recent security incidents, giving each product an overall daily security score.
This process provides product teams with an objective view of the areas that need attention and helps identify gaps and necessary actions. It also allows the EZtek security team to track the security posture of all products over time, particularly as our product suite scales.