Focus on security: a closer look at the Brainloop security concept

By Dr. Antoine Scemama on 06. December 2018

One man looks over the shoulder of another man into his mobile phone screen

Brainloop's solutions enable you to collaborate efficiently and securely. With software development at Brainloop, security is always the highest priority – whether you need to protect everyday business information, critical communication processes for your management and board, or strictly confidential M&A activities. After all, more and more companies are becoming exposed to cyber-attacks and other security threats.

In order to prevent potential security flaws during software development, Brainloop uses the Trustworthy Computing Security Development Lifecycle (abbreviated to SSDLC), a concept for developing secure software that was initially devised by Microsoft. It is tightly integrated into the Scrum development process. The following steps help ensure its successful implementation.

Phase 1: Requirements and Design

The first phase involves defining the security and quality requirements and goals of the proposed software. At Brainloop, we facilitate this by providing every development team with its own security expert. These specialists are known as security champions in the SSDLC environment and they support their teams during the planning process. They check development plans, advise teams on security milestones, make recommendations, and ensure that the security team reserves sufficient resources to meet the development team’s deadlines. If necessary, the security champion and the security team run through the design together and test threat models for certain features. They also coordinate specific security tests when required.

Phase 2: Implementation

In the implementation phase, the development team – which at Brainloop mainly comprises very experienced specialists – programs, tests and integrates the software. Before they implement a work item, it is thoroughly tested again from the security perspective. The objective is to prevent security flaws and correct any that do arise. This minimises the risk that they find their way into the final software version. We have a dual control principle that ensures that every new line of code is checked by a second developer before it is integrated. Security-critical code is checked again by the security champion or the security team.

Phase 3: Verification

At this point in development, the software includes the entire set of features. During the beta test process, the quality assurance (QA) team tests all the functionality again and runs additional security tests. Before it is released, the software code is also checked using machine-based scanning tools such as Veracode, which also flag any flaws. This WhiteSource solution also analyses third-party libraries. If any changes were made to security-related areas of the software, the security team or security expert carry out an internal audit. Sometimes they also order an external penetration test.

More measures on top

On top of all the measures taken during the software development phases, we include additional ones that are a key part of our security concept. An external penetration test is carried out once a year for each application. This involves a “hacker” being commissioned to test all applications and software components for flaws and to check how they resist common types of attack. This outsider view is invaluable to Brainloop. Another interesting point is that our large enterprise customers also audit and test the applications on their own in order to obtain an independent view.

And there are other ways that ensure security is always at the forefront of what we do. We have a sort of bounty system whereby any of our employees can make the development teams aware of potential security flaws and receive a reward for doing so. In addition, regular in-house and external training courses ensure that our developers and security specialists are always up to speed on the latest techniques.

That way, security risks have no chance.

Information Security

This could also be of interest:

Three reasons not to use email encryption

Three reasons not to use email encryption

Read more
Local cloud storage for critical company data

Local cloud storage for critical company data

Read more
How to make your data invisible – even to your service provider

How to make your data invisible – even to your service provider

Read more
Subscribe to our Blog