Secure by design
We are accredited with Cyber Essentials, and have completely isolated our office network from the reporting site network to minimise the risk to any customer data.
The application uses a Serverless architecture combined with AWS CloudFormation, meaning that developers need no direct access to the infrastructure running the application. This makes management completely automated and auditable, and in the most part, directly managed by Amazon Web Services. Developers have no direct access to the database, all direct changes made must be made through deploying code, which is audited and reviewed before being permitted to run.
By using the Serverless architecture, and making use of Amazon Virtual Private Cloud networking, we eliminate the risk of vulnerabilities and out-of-date software in the OS and networking level. You can find out more about Amazon’s security policies on their website.
Our development practice is structured around a continuous delivery pipeline. To manage vulnerabilities and out-of-date patches in the application, automated scanning tools provided by the Node Security Project are used in this pipeline. These scans run regularly on each change made to the application, and any vulnerabilities are immediately flagged to the developer who must resolve them before they can make any further feature changes. Each change must also be manually reviewed by another developer before being accepted in the mainline, and automated tests are used to check for regressions, with new features and especially security critical code paths having additional tests written to cover them.