Skip to content

Latest commit

 

History

History
60 lines (44 loc) · 2.08 KB

third-party-validation.md

File metadata and controls

60 lines (44 loc) · 2.08 KB

Third Party Validation


Both on a yearly basis and when provisioning new applications and services, we will engage security specialists and industry leaders to conduct testing against,

  • Assets
  • OSS software
  • Cloud Infrastructure
  • Products and operations
  • Vendor products

These reviews can include, but are not limited to, the following action points.

  • Conduct vulnerability research against all assets.
  • Research FOSS tools that are integrated within Comic Relief applications.
  • Conduct vulnerability research against SaaS apps and other products that are used by us.
  • Automated scanning of architecture
  • Network and user penetration

For systems built (or significantly modified) that contain customer and/or sensitive data, we should undertake application security reviews with a third party specialist to ensure the system is hardened against attack.

Providers

AWS

When provisioning a new service or application we will generally always engage an AWS solution architect to validate the ideas being implemented within our systems and ensure that we are aligning ourselves with industry best practices.

When taking applications into production, we will conduct a well architected review alongside AWS to ensure that we have built the application inline with the best possible standards. These reviews cover the following areas:

  • Operational Excellence
  • Security
  • Reliability
  • Performance Efficiency
  • Cost Optimization

NCC

NCC conduct yearly penetration testing on all of our core applications to ensure we are in line with current security recommendations.

RSM

RSM have conducted audits against application logic and business-worthiness of our internal systems and software development practices. This has included bringing onboard technology specialists to gain an understanding and advise on systems processes and architecture.

Sage

Sage's internal security team provide penetration testing and CIS benchmarking of our cloud architecture.