Security Control

Owned by Anna Odrynska
Last updated: Jul 07, 2022
2 min read

During the product planning and design phase, Alpha Serve uses threat modelling to understand the specific security risks associated with an application or its feature. Also, all of the new features go through a code-review process which among other things includes checking the security level.

Control Levels

  • Alpha Serve uses Sentry for application monitoring and error tracking. This tool allows you to analyze application logs, capture any unhandled exceptions, see the impact of each problem, and generate useful reports.

  • The QA team performs on-going automated vulnerability scans using a vulnerability scanner Burp Suite. Also, our cloud applications participate in the Bug Bounty Program by Atlassian, which ensures that our systems are constantly tested.

  • The users and the wider community are encouraged to report suspected security incidents through Alpha Serve Support or Service Desk.

Alpha Serve has implemented a SIEM platform to collect logs from various sources in the hosting infrastructure and track and flag any suspicious activity. This is applicable for some of our applications, but will be implemented for all of them.

Vulnerabilities Check

Alpha Serve approaches seriously to vulnerability management for all applications. This approach consists of internal and external security testing with the Bug Bounty.

An always-testing model using a crowd-sourced bug bounty is applied. Alpha Serve participates in the Bug Bounty Program from Atlassian Markeplace. Currently, a private bug bounty program for our applications is hosted by Bugcrowd. The goal of this program is to ensure that our applications are being constantly tested for security vulnerabilities.

Below is a list of some of the vulnerability classes that we are checking for by internal and external means:

  • Cross Instance Data Leakage/Access(unauthorized data access between instances)

  • Server-side Remote Code Execution (RCE)

  • Server-Side Request Forgery (SSRF)

  • Stored/Reflected Cross-site Scripting (XSS)

  • Cross-site Request Forgery (CSRF)

  • SQL Injection (SQLi)

  • XML External Entity Attacks (XXE)

  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)

  • Path/Directory Traversal Issues

The only exclusions from our security testing program are low-risk vulnerability types. These types are managed separately.

Penetration Testing

Only employees having a degree in computer science are performing internal penetration testing at Alpha Serve. As an employer, Alpha Serve encourages employees to self-educate in web security.

During penetration testing Alpha Serve team uses the following approaches to find vulnerabilities:

  • Code-assisted approach: manual code analysis (read source code, trace the source of all parameters, validation, checking access, etc.);

  • White box approach: manual UI testing (enter unsafe data and watch for unexpected behaviour, etc.);

  • Threat-based approach: testing focuses on a particular threat scenario;

  • Automated Scanning tools (Burp Suite - useful to catch obvious flaws).

When a vulnerability is identified by one of our employees or external testers, the actions defined by this Application Security Policy are executed. We try to fix security bugs as soon as possible in accordance with our SLA.