Secure Engineering Principles (A.14.2.5)

Objectives

Breezy implements several information systems. In order to ensure information systems implemented by Breezy are secure, the principles outlined in this document need to be followed when designing, implementing, maintaining, operating and improving our information systems.

Scope

Breezy’s Secure Engineering Principles shall apply to all product offerings from Breezy.

Policy

Secure Engineering Principles

Ensure information is secure when processing, transmitting and storing data.

When implementing information systems, one should always ensure the data within the information system remains secure for the entire lifecycle of the data. At all times during the lifecycle of data, the data is either being processed, transmitted, or stored. As such, ensuring the security of information when processing, transmitting, and storing data, means the information will be secure at all times.

Remember information belongs to the customer.

One should always remember the information in the systems implemented belongs to Breezy customers. Breezy has a duty to protect the customer’s information, and are in fact being paid to do so. When evaluating the security of information, Breezy’s requirements should always meet or exceed the customer’s requirements. If the customer’s requirements can not be met, Breezy will either make improvements, reach an agreement with the customer on the adequacy of Breezy’s requirements, or inform the customer the incompatibility of information systems and their requirements prevents Breezy from accepting their business.

Evaluate all changes and new implementations for the most critical security risks.

To date, all of Breezy’s products are web applications or components of web applications. As such, one should always ensure any new or modified functionality does not introduce one of the OWASP Top 10 Most Critical Web Application Security Risks. Following this principle when developing information systems, is one of the easiest ways to ensure all of the other principles in this document are being followed.

Establish baselines for a minimal level of security.

When evaluating the security of information, one should not only consider the most secure way to protect information but also the least secure way acceptable. For instance when encrypting data for transit, an upper bound for a key size may only be limited by the practicality of the resulting transmission size and processing time. The lower bound, is limited by the amount of time the data must be protected from someone attempting to brute force or crack the encryption key. While the minimal level of security should not be the goal, establishing the baseline is as equally important as establishing the most secure implementation. Baselines allow for better recognition of when implementations are “not secure enough” or “more than secure enough”.

Produce evidence of security throughout the lifecycle of an information system.

Throughout the life cycle of an information system, one should always produce evidence of security. Producing evidence yields returns in two primary ways. It aids in producing accountability and auditability of one’s actions. Producing evidence is also the only real proof Breezy can share internally and externally of engineering secure information systems. For example, when addressing a security concern in a code change, make sure a Trello ticket tagged with “security” exists and is referenced in the change.

Perform retrospective evaluation if vulnerabilities are discovered.

If a security vulnerability is discovered in a product, as part of the associated security incident, retrospective evaluation shall occur. Specifically,

  • Engineers will review other code and systems maintained by Breezy to ensure they do not have the same vulnerability.
  • Breezy will evaluate how the vulnerability was introduced, for example by poor code review or insufficiency of vulnerability scans.
  • A treatment plan will be created based on those results. It should contain specific improvements to be made to mitigate/prevent the class of vulnerability from being introduced again.

Responsibilities

  • The Information Security Manager shall be responsible for ensuring that the Secure Engineering Principles remain current and aligned with Breezy business activities and security objectives, and the compliance of products detailed within the Scope of this Policy.
  • Asset owners and engineers responsible for the development of information systems detailed within the Scope of this Policy will ensure the Secure Engineering Principles are employed in the development of their respective systems.