Security Control

Owned by Anna Odrynska
Nov 18, 2020
2 min read

During the product planning and design phase, Alpha Serve uses threat modelling to understand the specific security risks associated with an application or its feature. Also, all of the new features go through a code-review process which among other things includes checking the security level.

Control Levels

  • Alpha Serve uses internal systems for application monitoring and error tracking.

  • The QA team performs on-going automated vulnerability scans using a vulnerability scanner Burp Suite.

  • The users and the wider community are encouraged to report suspected security incidents to Alpha Serve Support.

In the nearest future, Alpha Serve has intentions to implement a SIEM platform to collect logs from various sources in the hosting infrastructure and track and flag any suspicious activity. Our employees study the advantages and disadvantages of SIEM vendors on the market to choose the most suitable one.

Vulnerabilities Check

Alpha Serve approaches seriously to vulnerability management for all applications. This approach consists of internal and external security testing.

Below is a list of some of the vulnerability classes that we are checking for by internal and external means:

  • Cross Instance Data Leakage/Access

  • Server-side Remote Code Execution (RCE)

  • Server-Side Request Forgery (SSRF)

  • Stored/Reflected Cross-site Scripting (XSS)

  • Cross-site Request Forgery (CSRF)

  • SQL Injection (SQLi)

  • XML External Entity Attacks (XXE)

  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)

  • Path/Directory Traversal Issues

The only exclusions from our security testing program are low-risk vulnerability types. These types are managed separately.

Penetration Testing

Only employees having a degree in computer science are performing internal penetration testing at Alpha Serve. As an employer, Alpha Serve encourages employees to self-educate in web security.

During penetration testing Alpha Serve team uses the following approaches to find vulnerabilities:

  • Code-assisted approach: manual code analysis (read source code, trace the source of all parameters, validation, checking access, etc.);

  • White box approach: manual UI testing (enter unsafe data and watch for unexpected behaviour, etc.);

  • Threat-based approach: testing focuses on a particular threat scenario;

  • Automated Scanning tools (Burp Suite - useful to catch obvious flaws).

When a vulnerability is identified by one of our employees or external testers, the actions defined by this Application Security Policy are executed. We try to fix security bugs as soon as possible.