Table of Contents

Software Development Security at EZtek Software

Table of Contents
Software development security

At EZtek Software, we make security a part of every step in the development process to keep our code, products, and customers safe. We apply secure development practices throughout the entire lifecycle.

Our development process is backed by application security training and a security knowledge base managed by our security team.

In the design phase, we use methods like threat modeling, design reviews, and an up-to-date library of security standards to ensure we consider the right security needs.

During development, we enforce a peer review process as the first layer of security check. This is followed by automated static analysis (SAST) and manual security testing, both done by our internal teams and third-party experts based on our risk assessment.

We have formal processes for operational readiness and change control, making sure only approved changes go live. After deployment, we use automated vulnerability scanning and a top-tier bug bounty program to continuously monitor the security of our applications. We also measure our products’ security performance over time with a security scorecard system.

Building a Culture of Security

At EZtek Software, we foster a culture of security by empowering our teams with robust security training.

Developer Security Training

We combine in-house content and third-party resources to ensure our development teams have the security knowledge needed to build secure applications. Our training program is continuously reviewed to maintain its effectiveness and adapts to the ever-changing security landscape.

Design Phase

In the design phase, we use threat modeling, design reviews, and a comprehensive security standards library to ensure that the right security measures are considered.

Threat Modeling

We use threat modeling to assess security risks, especially when projects involve complex threats or critical security changes. This process includes a brainstorming session with engineers, security experts, architects, and product managers to identify and prioritize relevant threats. The results are then incorporated into the design process, ensuring the right security controls are in place and guiding subsequent review and testing in later phases of development.

Our threat modeling involves:

Development Phase

Throughout the development process, we implement various security practices to ensure our code remains secure.

Security Review

The security team conducts security reviews to provide assurance across all software projects at EZtek. A risk-assessment process helps us prioritize areas to focus on, identifying required activities to mitigate project risks. Depending on the risk level, assurance activities may include:

  • Design reviews and threat modeling
  • Code reviews and security testing
  • Independent assurance through expert third-party researchers and consultants

Peer Review

During development, all code undergoes our peer review green build (PRGB) testing process. This requires multiple senior or lead developers to review all commits before they are deployed to production. This is further supported by automated static analysis (SAST) and manual security testing, both by internal teams and external experts based on our risk assessments. The process is also backed by application security training and a security knowledge base managed by the security team.

Separation of Environments

We maintain logical and physical separation between production and non-production (development) environments for all critical services. Our staging environment is logically separated but not physically separated, and it follows production-grade change control and access processes.

At EZtek, security policies prohibit using production data in non-production environments. We have guidelines for handling restricted data, such as personal data, using techniques like anonymization, hashing, and tokenization.

Maintenance Phase

Before pushing code to production, it must pass through formal operational readiness and change control processes.

Once a system is deployed, we conduct regular automated vulnerability scans. Additionally, we maintain an industry-leading bug bounty program, ensuring continuous security assurance through a trusted, crowdsourced group of security researchers.

Security Scorecards

We’ve implemented product security scorecards, an automated system to monitor and assess the security of all our products. These scorecards track a range of security-focused criteria, including vulnerabilities, training coverage, and recent security incidents, giving each product an overall daily security score.

This process provides product teams with an objective view of the areas that need attention and helps identify gaps and necessary actions. It also allows the EZtek security team to track the security posture of all products over time, particularly as our product suite scales.

Share

Related articles

Share

Let’s get in touch

Kindly fill out the form below, and our team will get back to your inquiries ASAP.

CALL US

0918 653 003

OTHER ENQUIRIES

ADDRESS

60 Nui Thanh Street, Ward 13, Tan Binh, Ho Chi Minh City, Vietnam