Security and Operations
At Intuitem, the security of our software and infrastructure is at the heart of our business. Here’s an overview of how we manage cybersecurity throughout our product lifecycle and the measures we take to secure our infrastructure and ensure its availability.
As cybersecurity practitioners, we apply a defense-in-depth principle with a multi-layer approach.
1. Secure Development Practices
- Code Review: Peer review is our first layer to ensure that implementing our business logic doesn’t introduce any vulnerabilities. We are particularly cautious about third-party contributions to our open-source codebase to avoid hijacking our core security model.
- Static and Dynamic Analysis: We rely on automated tools for static code analysis in the early stages (SAST), both at the developer’s workstation and during the CI/CD pipelines. This allows us to capture common anti-patterns that could lead to security flaws, and it’s cross-checked with dynamic analysis (DAST) to detect others that could have been missed by the first checks.
- Software Composition Analysis: All third-party libraries and components used in our software are continuously scanned at the CI/CD level for vulnerabilities and license violations. The versions are pinned for stability and updated with relevant patches when applicable. For the main components, we stick to the LTS (Long Term Support) versions and apply all relevant patches.
- Credential Leakage Detection: All commits are checked for credential leakage. In case of such an incident, prompt rotation of credentials is performed.
- Security Training: We regularly conduct training for developers on secure coding practices and emerging threats.
2. Threat Modeling and Baseline
- Before each new feature, we conduct thorough threat modeling sessions to identify potential security and operational risks.
- We rely on two frameworks for our cybersecurity posture: the NIST CSF for cybersecurity program management and the ASVS for application security, using our own tooling to manage that 🐙
3. Incident Response and Management
- Incident Response Plan (IRP): We have an IRP in place that is regularly updated to reflect the evolving cyber threat landscape. This plan includes clear procedures for detecting, reporting, and responding to security incidents to minimize impact.
- Security Incident Simulation: Regularly, we conduct simulated security incident exercises, involving the whole team. These simulations help improve our response strategies and ensure that all team members are familiar with their roles in an incident.
- Forensic Capabilities: We maintain a comprehensive set of tools and practices for forensic analysis, enabling us to quickly understand the scope and impact of any breach or security issue. This also aids in refining our defenses and preventing future incidents.
4. Continuous Improvement and Feedback Loop
- Feedback Mechanisms: We have established mechanisms to gather security feedback from both users and technical peers. This feedback is crucial for continuous improvement of our security practices and product enhancements. Check out our GitHub repo for instructions on how to report a security issue.
- Security Audits and Penetration Testing: Regular audits and penetration tests are conducted by an external third party to ensure our defenses are effective and to identify any potential vulnerabilities that need to be addressed.
- Patch Management: We enforce a strict policy for regularly scheduled patch management to address vulnerabilities promptly. This includes not only our own software but also the underlying systems and dependencies.
5. Compliance and Legal Requirements
- Regulatory Compliance: We ensure that our security practices meet or exceed the requirements of applicable laws and regulations, such as GDPR, CCPA, and others relevant to our industry and the geographies in which we operate.
- Data Protection Officer (DPO): A designated DPO oversees all data protection matters, ensuring compliance with privacy laws and acting as a point of contact for data subjects and regulatory bodies. You can reach our DPO at [email protected]
6. Deployment and Monitoring
- Secure Deployment: All releases and deployments are done using secure CI/CD pipelines to deploy updates and patches promptly and consistently across all our instances.
- Continuous Monitoring: Demo and Production environments are continuously monitored for availability, performance issues, regression, or security events.
7. Infrastructure Management and Security
- High Availability: All workloads are operated on Kubernetes to ensure high availability and auto-scaling.
- Filtering: Only the necessary ports (443) are exposed on the Internet. Other traffic is restricted by default.
- Zero-Trust Architecture: Access to the cluster control plan is restricted to authorized personnel.
- Data Encryption: Encryption at rest is ensured at the disk level. Encryption-in-transit is guaranteed by TLS 1.3 using automatically renewed Let’s Encrypt certificates.
- Access Control: Only authorized and limited personnel have access to infrastructure management. All privileged accesses are subject to MFA and traced.
- Provider Certification: We rely on ISO 27001-certified providers with tier 3 uptime. Our workload and data are hosted in France as a primary region and the Netherlands as a secondary one.
- Backup and Disaster Recovery: Periodic backups are performed every 48 hours with a retention period of 14 days. Our own instances are hosted and managed using the same pattern and regularly tested.
Commitment to Continuous Improvement
At Intuitem, we are committed to continuously improving our security practices to protect our customers and their data. Our proactive approach to cybersecurity ensures that we can provide a secure and reliable service.
For more information or to report a security concern, please contact our security team at [email protected].