Application Security

Our application development process is a formalized, process-driven approach designed to maintain the stability of our applications. It governs how changes to our applications are documented, tested, reviewed, and approved.

Status checks and protected branches in our code management platform are used to enforce a series of checks that must be completed before a pull request can be merged into the master branch. The process also includes code review, testing (where applicable), and merging approval by an engineer who didn't make the change or commit it.

Continuous integration and Deployment (CI/CD) tools automate the deployment process, including building, testing, tagging, versioning, and releasing deployable artifacts to staging, UAT, and then to production environments.

The deployment of changes into the higher environments is restricted to authorized personnel and segregated by the environment.

Before deployment into the production environment, a series of checks are performed including manual code review and testing.

Static code analysis also known as Static Application Security Test (SAST) runs regularly against code repositories and blocks known misconfigurations from entering the code base.

Dynamic analysis, also known as Dynamic Application Security Testing (DAST), is performed continually against our web applications and APIs. Automated tooling is used to identify potential security vulnerabilities, which then require additional code review and updates before promotion to production

Manual penetration testing by CREST-certified penetration testers is performed once every quarter.

We implement a multilayered approach to vulnerability scanning using a variety of tools to ensure comprehensive coverage of our technology stacks.

Vulnerability scans are configured to scan exploitable vulnerabilities daily and on-demand.

We use scanners such as Trivy, GitHub Dependabot, and Amazon ECR scanning to find vulnerabilities and misconfigurations across our repositories, container images, and Kubernetes clusters.

Patch management is prioritized based on the severity of the vulnerability that the patch addresses.

To the extent it is possible, we follow the predefined service-level agreement (SLA) for implementing the patches.

If patching cannot be implemented within the SLA, we must ensure that sufficient countermeasures are in place to mitigate the risk.

Encryption keys for both in-transit and at-rest encryption are securely managed by the Spark platform.

Transport Layer Security (TLS) private keys for in-transit encryption are managed through our content delivery partner.

Application and database encryption keys for at-rest encryption are stored in a hardened Key Management System (KMS).

Keys are rotated at a frequency that is dependent upon the sensitivity of the data they’re encrypting and at the discretion of the team that manages the key.