Security at Bright Answer
Product Security
- Establish secure development practices and standards
- Ensure project-level security risk assessments
- Provide design review and code review security services for detection and removal of common security flaws
- Train developers on secure coding practices
Security Operations
- Make use of infrastructure with high security standards, e.g. Platform.sh
- Maintain a secure archive of security-relevant logs
- Respond to alerts related to security events on Bright Answer systems
Manage security incidents
Security by design
Bright Answer assesses the security risk of each software development project according to the OWASP Top 10. Based on this analysis, Bright Answer creates a set of requirements that must be met before the resulting change may be released to production. All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. For web applications built by Bright Answer continuous automated static analysis using advanced tools and techniques are used.
Protecting customer data
The focus of Bright Answer’s security program is to prevent unauthorized access to customer data. To this end we implement best practices and constantly evaluate ways to improve.
Data encryption in transit and at rest
Bright Answer transmits data over public networks using strong encryption. Bright Answer supports the latest recommended secure cipher suites to encrypt all traffic, including use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, as supported by the clients. Bright Answer monitors the changing cryptographic landscape and upgrades the cipher suite choices as the landscape changes, while also balancing the need for compatibility with older clients. The Bright Answer service is hosted in data centers maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Bright Answer service. These service providers are responsible for restricting physical access to Bright Answer’s systems to authorized personnel.
Each Bright Answer customer’s data is hosted in Bright Answer’s shared infrastructure and segregated logically by the Bright Answer application. Bright Answer uses a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested. Bright Answer is in the process of implementing encryption for a subset of personal data at rest.
Authentication
To further reduce the risk of unauthorized access to data, Bright Answer employs multi-factor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, Bright Answer uses private keys for authentication. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements). Bright Answer requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security.
System monitoring, logging, and alerting
Bright Answer monitors incoming bug reports, prioritizes true vulnerabilities and ensures their timely resolution. Bright Answer monitors servers and applications to retain and analyze a comprehensive view of the security state of its infrastructure.
Responding to security incidents
Bright Answer has a dedicated Data Breach Policy and has reviewed all its suppliers to ensure that their breach notifications are at an acceptable standard.
3rd party suppliers
To run its business efficiently, Bright Answer relies on sub-service organizations. Where those sub-service organizations may impact the security of Bright Answer’s production environment, Bright Answer takes appropriate steps to ensure its security posture is maintained.
Bright Answer’s most important 3rd party supplier is its hosting provider Platform.sh. Everything about the security of our hosting infrastructure can be found on the Platform.sh security page.
Conclusion
We take security seriously at Bright Answer, because every person and team using our service expects their data to be secure and confidential. Safeguarding this data is a critical responsibility we have to our customers, and we work hard to maintain that trust.