Overview

Performetriks has invested in security processes and practices that follow industry standards.  Processes, security tools, and testing methods employed help address issues such as the OWASP Top 10 most critical web application flaws and CWE/SANS Top 25 most dangerous software errors. Our layered process includes training, testing, and security expertise, tools, and automation to produce secure products using Secure by Design and Secure coding practices.  This process enables prevention, detection, and response to security issues that are identified.  The latest threat intelligence is used to keep our secure development processes up to date with the newest threats and vulnerabilities.  Performetriks continually works to incorporate new security features into our products as part of its development strategy.

​

Training

Secure development training is required for personnel involved in software development.  Training includes general software security principles and concepts as well as technology-specific guidance. 

​

Security Assessments

The Performetriks Product team is responsible for conducting periodic assessments to verify that required secure processes, policies, and practices are being followed. The Performetriks team members conduct these assessments by the OWASP Application Security Verification Standard (ASVS).  

Security testing experts conduct periodic external scans and penetration tests to help ensure that software meets or exceeds industry standards. Additionally, an internal security testing team conducts tests on products as needed, prioritizing them on a case-by-case basis. 

Test results are delivered to development teams, and findings are remediated based on severity, impact, and likelihood of exploitation.

​

Security Requirements & Architecture

During requirements gathering, security, privacy, and quality targets are defined and reviewed as needed and appropriate to the development cycle and software components being developed.  An assessment of the application risk is performed to understand the likelihood and impact of attacks against the software.  Strategies and controls are implemented to mitigate the identified threats.

Performetriks reviews the design and deployment standards for our applications to determine appropriate security configurations. Requirements such as encrypted payloads, SSL certificate checks, at-rest encryption, and application security checks are reviewed. End-user access points and credential input methods are reviewed and verified. Applications are designed to minimize the potential attack surface.  Performetriks reviews the types and amounts of data that are expected to be created and/or retained by the end user to ensure that the recommended application configuration is appropriately sized and secure. 

​

Code Review

During the development process, changed or impacted code is reviewed and tested by trusted and experienced team members as part of the Secure Development Lifecycle.

​

Vulnerability and Defect Management

Issues identified by Performetriks and 3rd party testing are logged in the defect tracking system, scheduled for remediation, and prioritized by severity.  Security issues receive priority attention based on severity, impact, and likelihood of exploitation.

​

Secure Build

Performetriks developers utilize approved tools and components during application creation.  Industry-standard development environments are used, which contain processes such as compile-time checks for proper coding standards. The source is kept in a version control system, and consistent build environments are maintained. Defects, source code artifacts, and design documents are archived at each build point within the development process. 

​

Testing

A team of qualified members performs quality verification of the product. Multiple tools and automated testing techniques are utilized throughout the Agile development process to ensure product and configuration consistency and quality.  Security functionality is explicitly tested in accordance with industry guidelines, such as those outlined by OWASP and NIST. Tests are based on functional specifications and requirements, and include negative tests, load testing, input boundary analysis, and input combination testing.

​

Secure Deployment

Performetriks follows a formal release process that leverages input and approval from multiple stakeholders within the company. Product maintenance releases are produced as warranted to address critical issues or incorporate new and updated product features. Throughout the build and deployment process, Performetriks employs numerous controls and checks to ensure supply chain security.