Securing Our Products and Services
Product and Software Development Lifecycle
Product related software development is performed by dedicated SAI360 engineering personnel, which consists of system architects, application engineers and database developers. The engineering department is divided by area of expertise required by product and life cycle.
Following the finalization of functional specifications, general software architecture is determined by the product software architect and a hosting services architect. In some cases, architectural considerations may result in changes to functional specifications. These adjustments are communicated back to respective stakeholders and a final functional specification and architecture is determined. This architecture is documented and released to the development manager for review, project scoping and resource assignment.
Customer data is never used in development. Customer data is only used for load testing in a staging environment, with customer approval. That staging environment reflects the same security posture policies and controls in the production environment.
Software Release Processes
Authority to release software from development to Quality Assurance (QA) is restricted to the development manager responsible for the product line. Authority to release software from QA systems to final qualification systems is restricted to the assigned release manager, once software meets pre-defined acceptance criteria for release.
Quality Assurance and Qualification Processes
A dedicated quality control team ensures all software made available to customers is of the highest quality and performance. This team has final veto authority for all software packages moving to production systems.
An extensive and comprehensive testing matrix is applied to all software releases testing functionality and support for a wide variety of operating systems and browser versions. New functionality is tested extensively and existing functionality is additionally tested to safeguard against regressions.
Software Release Process
Following a formal release to SAI360 hosting services, the software release package is reviewed by SAI360 cloud operations and a deployment strategy is assessed.
The release is initially deployed to a small, pre-determined number of systems. Following this controlled release, a general release cycle is undertaken with all systems receiving the update over a series of scheduled maintenance windows.
Patch and Version Management
Continuous improvements to software occasionally result in patches available to SAI360 software product lines. All major and minor software releases, including patches, are uniquely versioned and this version is transparent to all operators. The release strategy for patch deployments models that of the general software release process described above.
Secure Development Training
All employees and contractors that develop or write code as part of their primary responsibilities go through appropriate secure development training on an annual basis. This includes but not limited to:
- Review of secure development coding practices and principles documented as part of the Information Security Management System (ISMS)
- Open Web Application Security Project (OWAS)P TOP 10 awareness of security risks
- Secure coding practices in the coding languages and frameworks of their respective application
Access to Source Code
All software access and versioning are strictly controlled through a software source control package. Access to source code is available on an as-needed basis and exclusively restricted to SAI360 software engineering.
Penetration Testing
SAI360 performs penetration testing and vulnerability scanning to detect, mitigate, and resolve security issues, using appropriate tools for the virtual environment. This assessment reviews firewall policies, intrusion detection and prevention policies, system patch levels, vulnerability to known software exploits, and brute force attacks.
SAI360 performs internal vulnerability scans of all corporate and customer facing systems and networks in real time by a local agent, Rapid7, which reports the vulnerability status of the system every six hours, based on change delta. No external access is provided.
SAI360 contracts leading information security consulting and services companies to run external network penetration tests against systems annually and web application penetration tests annually or as a result of significant change. Remediation plans are prepared after penetration testing and managed as a project to closure.
Customers can conduct their own external penetration testing by arrangement at their cost.
