Breezy implements several information systems. In order to ensure information systems implemented by Breezy are secure, the principles outlined in this document need to be followed when designing, implementing, maintaining, operating and improving our information systems.
Breezy’s Secure Engineering Principles shall apply to all product offerings from Breezy.
When implementing information systems, one should always ensure the data within the information system remains secure for the entire lifecycle of the data. At all times during the lifecycle of data, the data is either being processed, transmitted, or stored. As such, ensuring the security of information when processing, transmitting, and storing data, means the information will be secure at all times.
One should always remember the information in the systems implemented belongs to Breezy customers. Breezy has a duty to protect the customer’s information, and are in fact being paid to do so. When evaluating the security of information, Breezy’s requirements should always meet or exceed the customer’s requirements. If the customer’s requirements can not be met, Breezy will either make improvements, reach an agreement with the customer on the adequacy of Breezy’s requirements, or inform the customer the incompatibility of information systems and their requirements prevents Breezy from accepting their business.
To date, all of Breezy’s products are web applications or components of web applications. As such, one should always ensure any new or modified functionality does not introduce one of the OWASP Top 10 Most Critical Web Application Security Risks. Following this principle when developing information systems, is one of the easiest ways to ensure all of the other principles in this document are being followed.
When evaluating the security of information, one should not only consider the most secure way to protect information but also the least secure way acceptable. For instance when encrypting data for transit, an upper bound for a key size may only be limited by the practicality of the resulting transmission size and processing time. The lower bound, is limited by the amount of time the data must be protected from someone attempting to brute force or crack the encryption key. While the minimal level of security should not be the goal, establishing the baseline is as equally important as establishing the most secure implementation. Baselines allow for better recognition of when implementations are “not secure enough” or “more than secure enough”.
Throughout the life cycle of an information system, one should always produce evidence of security. Producing evidence yields returns in two primary ways. It aids in producing accountability and auditability of one’s actions. Producing evidence is also the only real proof Breezy can share internally and externally of engineering secure information systems. For example, when addressing a security concern in a code change, make sure a Trello ticket tagged with “security” exists and is referenced in the change.
If a security vulnerability is discovered in a product, as part of the associated security incident, retrospective evaluation shall occur. Specifically,