Security at Bright Answer
Product Security
- Establish secure development practices and standards
- Ensure project-level security risk assessments
- Provide design review and code review security services for detection and removal of common security flaws
- Train developers on secure coding practices
Security Operations
- Make use of infrastructure with high security standards, e.g. Upsun (formerly Platform.sh)
- Maintain a secure archive of security-relevant logs
- Respond to alerts related to security events on Bright Answer systems
Manage security incidents
Security by design
Bright Answer assesses the security risk of each software development project according to the OWASP Top 10. Based on this analysis, Bright Answer creates a set of requirements that must be met before the resulting change may be released to production. All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. For web applications built by Bright Answer continuous automated static analysis using advanced tools and techniques are used.
Protecting customer data
The focus of Bright Answer’s security program is to prevent unauthorised access to customer data. To this end we implement best practices and constantly evaluate ways to improve.
Data encryption in transit and at rest
Bright Answer transmits data over public networks using strong encryption. Bright Answer supports the latest recommended secure cipher suites to encrypt all traffic and always uses industry-standard algorithms (AES-256, TLS 1.2+). The Bright Answer services are hosted in data centres maintained by industry-leading service providers. Data center providers offer state-of-the-art physical protection for the servers and related infrastructure that comprise the operating environment for the Bright Answer service. These service providers are responsible for restricting physical access to Bright Answer’s systems to authorised personnel.
Each Bright Answer customer’s data is hosted fully encapsulated and containerised in state-of-the art data centres. Bright Answer uses a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested.
Authentication
To further reduce the risk of unauthorised access to data, Bright Answer employs multi-factor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, Bright Answer uses private keys for authentication. The passwords themselves are required to be complex (auto-generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements). Bright Answer requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviours that can reduce security.
System monitoring, logging, and alerting
Bright Answer monitors incoming bug reports, prioritises true vulnerabilities and ensures their timely resolution. Bright Answer monitors servers and applications to retain and analyse a comprehensive view of the security state of its infrastructure.
Responding to security incidents
Bright Answer has a dedicated Data Breach Policy and has reviewed all its suppliers to ensure that their breach notifications are at an acceptable standard.
3rd party suppliers
To run its business efficiently, Bright Answer relies on sub-service organisations. Where those sub-service organisations may impact the security of Bright Answer’s production environment, Bright Answer takes appropriate steps to ensure its security posture is maintained.
Bright Answer’s most important 3rd party supplier is its hosting provider Upsun. Everything about the security of our hosting infrastructure can be found on the Upsun Trust Center website.
Conclusion
We take security seriously at Bright Answer, because every person and team using our service expects their data to be secure and confidential. Safeguarding this data is a critical responsibility we have to our customers, and we work hard to maintain that trust.