Development Methodologies and Configurations
1. Can you describe the software development methodology implemented? How are security requirements defined and included in the SDLC? How do you validate that the requirements are really implemented in the release?
We follow agile development practices, with new features following a specification process by the product and engineering team. The specifications are then received and implemented by the engineering team in bi-weekly sprints. All code is reviewed by at least one other member of the engineering team. We then follow a continuous integration process. Critical security requirements will be reviewed by a third party security firm and later tested by an outside firm as well.
2. Is there hardening/configuration on default server builds?
Our application runs within a Kubernetes cluster, managed by Amazon's Elastic Container Service for Kubernetes (EKS). The nodes within our cluster use the latest AMI provided by Amazon for EKS (the eks-worker-* AMIs). We do not currently install any custom software or perform additional hardening steps on the EC2 instances themselves. However, we have confirmed that password-based SSH access is not permitted on these instances and employees are not granted SSH access.
All of our EC2 instances, with the exception of our bastion, run within a private VPC Subnet behind a NAT. Any ports opened on these instances are restricted to only allow traffic from within the VPC. HTTP/S traffic is routed through an Amazon load balancer into our private subnets.
Our bastion server is an EC2 instance running the latest version of the Ubuntu 16.04 AMI provided by Canonical. This server is the only instance in a Subnet attached to an Internet Gateway. However, its security group allows SSH access only to our VPN and office IP addresses.
All EC2 instances and Docker images are always given least-privilege IAM roles.
To further secure our instances, we will be prioritizing a security project to harden our EC2 instances further. This project will be completed no later than the end of 2018. Changes planned include at least the following: Changing the default root user password Disabling sudo access for non-root users
3. Are servers/systems build using baseline configurations? Are baseline configuration developed based on commonly-accepted industry security and hardening procedures?
Our production infrastructure is built on Kubernetes and runs Docker containers. The Docker images we build and run in production are based on minimal and official images from Docker Hub (typically running Alpine Linux).