Both on a yearly basis and when provisioning new applications and services, we will engage security specialists and industry leaders to conduct testing against,
- Assets
- OSS software
- Cloud Infrastructure
- Products and operations
- Vendor products
These reviews can include, but are not limited to, the following action points.
- Conduct vulnerability research against all assets.
- Research FOSS tools that are integrated within Comic Relief applications.
- Conduct vulnerability research against SaaS apps and other products that are used by us.
- Automated scanning of architecture
- Network and user penetration
For systems built (or significantly modified) that contain customer and/or sensitive data, we should undertake application security reviews with a third party specialist to ensure the system is hardened against attack.
When provisioning a new service or application we will generally always engage an AWS solution architect to validate the ideas being implemented within our systems and ensure that we are aligning ourselves with industry best practices.
When taking applications into production, we will conduct a well architected review alongside AWS to ensure that we have built the application inline with the best possible standards. These reviews cover the following areas:
- Operational Excellence
- Security
- Reliability
- Performance Efficiency
- Cost Optimization
NCC conduct yearly penetration testing on all of our core applications to ensure we are in line with current security recommendations.
RSM have conducted audits against application logic and business-worthiness of our internal systems and software development practices. This has included bringing onboard technology specialists to gain an understanding and advise on systems processes and architecture.
Sage's internal security team provide penetration testing and CIS benchmarking of our cloud architecture.