Risk and Vulnerability Assessments
1. Does Crossbeam conduct risk assessments and vulnerability scans?
We are currently undergoing a SOC 2 Type I evaluation and expect a report by Q1 2019. We have planned a SOC 2 Type II to follow, with a report available by the end of Q2 2019.
We have completed a manual penetration test conducted by a third party security firm, and will continue to do so on a quarterly basis.
2. Does Crossbeam have a process in place to ensure networks, operating systems, applications, databases, end point devices, and mobile devices have the latest up-to-date security patches installed?
We perform monthly reviews of software dependencies and upgrade any outdated or vulnerable libraries. Additionally, EC2 instances are rotated on a regular basis to use the latest versions of Ubuntu and Amazon Linux. We also subscribe to updates from US-CERT for critical software security issues.
3. How do you segregate different domains on your network? What are the different domains (e.g. DMZ, internal, server only, etc)? How do you enforce the separation at the network level? Are firewall rule changes reviewed and approved before going into production? Who performs the reviews and approvals?
Currently we have two network domains: a DMZ for public HTTP load balancers and bastion servers as well as an internal domain for servers and databases. These are located within individual subnets in our AWS VPC. We enforce strict firewall rules at the edges. All firewall (security group) changes are applied via Terraform and are subject to code review by a senior member of the engineering team.