Security is our top priority here at Notarize. One of our core initiatives for 2019 was to take a look inward and ensure that we had the same levels of security as we utilized externally. The reasoning behind this is simple: one compromised internal account could potentially have ultimate access to all “golden” data.
With 2019 in the rearview mirror, there's no better time to revisit some of the security improvements we made to offer safer transactions on our platform. Let's take a look at some of the major security achievements we made over the last calendar year.
Contrary to what you may see in news headlines, security is something that everyone at an organization must buy into and work towards. Without the partnerships and cross-functional collaboration, security would be marginal at best. As cliche as it might sound, teamwork really does make the dream work.
Aside from the common usage of Identity Access Management (IAM) software and Role Based Access Control (RBAC), the Notarize security team focused heavily on log collection and correlation. Our team was able to gain invaluable information about internal usage – location, access times, devices, etc. – by leveraging logging of Firewalls, VPN, custom app logging, and through IAM tools.
From these baselines, we derived active alerting and reviews of some key events to gain a more proactive vantage point. Overall access alerts are generated and sent to the IT and Security team in either real-time or on a scheduled interval, depending on usage.
We also revamped our Open Web Application Security Project (OWASP) training for the Engineering team, complete with a pen and paper written test. The pen and paper tactic helped direct the focus more on learning and understanding the concepts rather than using Google to log a perfect score.
This tied into our practice of reviewing the OWASP Top 10 for every code push. In the same vein, we revamped our internal security awareness training for everyone in the company. Videos around a specific security topic are released at regular intervals over the course of the year.
We continued to monitor and push our external security posture forward as well. We expanded our penetration tests to include all ingress points of our system, including development environments and tools. This increased scope gives us our full online presence and provided some insights as well as actionable goals over the year.
Though we run our own internal scans, we utilized a remote external provider for this and our first intrusive web application testing. We provided logins to all portals and gave the testers an intro to flow and behavior. Testing occurred over a week and a half time frame on our pre-production environment and included a battery of tests, both automated and manual. Once again, the findings were insightful and utilized to further refine the security of the platform.
Finally, it's important to highlight that we completed our SSAE 18 SOC 2 Type 1 report. This report evaluates the business information systems that relate to security, availability, processing integrity, confidentiality, and privacy for a point in time: in our case, December 31, 2019. All of the above improvements, along with the countless other policies and procedures we have created and refined, allowed this to be accomplished.
Last year was a banner year for the Security and IT teams at Notarize, and we're eager to expand and pursue new challenges as 2020 progresses.