We "eat our own dog food" by modeling the development of SD Elements in SD Elements itself for each release of the application.

The development team actions on security tasks compiled for each release and the QA team uses the test requirements to validate that the requirements are met before release.

We periodically run Nessus and HP WebInspect against the application (bi-weekly) and the results are reviewed and actioned before the next release.

Our security consulting team, which are independent of the development team to avoid conflict of interest, perform a manual assessment on the product regularly (at least once a year).

The SD Elements application follows the standard three layer segregation model in its architectural design. SD Elements has separate Web service, Application server, and Database layers.

Although all layers reside in the same server/virtual-appliance, all processes and data files are segregated by the underlying operating system control access rule. Each layer’s processes are executed within a different user space and the files are owned and restricted to the same user space. The three layers only communicate through local sockets.

SD Elements has a minimal attack surface. It only listens on ports 80/TCP for HTTP, 443/TCP for HTTPS, and 22/TCP for SSH that allows for remote administration.

All unneeded ports (except for the ones listed above) are blocked, and all unneeded services are disabled on SD Elements servers.

All communication with SD Elements is encrypted using HTTPS (TLS) and the HTTP port is used solely to redirect the user to the secure protocol.

All transactions are logged according to industry best practices, such as all requests being logged along with the IP of the requester.

Our SaaS infrastructure is SSAE-16 compliant (replaces SAS-70), which has been audited and certified by Deloitte.

Access to production systems are on a need-to-know basis and restricted to the IT administration and support teams.

SD Elements servers are behind a locked down firewall.

Administrative access to SD Elements servers are restricted both by source IP (limited to IPs owned by SD Elements IT) as well as individual user authentication.

All communication to the SD Elements server goes through an Intrusion Prevention System (IPS), which filters the traffic for known attacks before reaching the application code.

Development teams do not have access to production servers.