Ensuring the security of enterprise software isn’t an option—it's a necessity.
Increasingly sophisticated cyber threats keep developers and CIOs awake at night.
It is therefore imperative that developers take a holistic approach to safeguarding their applications.
In this post, we explain the comprehensive approach we take to application security at Trellis Energy—from development practices to infrastructure security.
If we’ve done our job right, most of this should be invisible to the user but very visible to anyone with malicious intent trying to penetrate our platform.
The foundations for application security are laid during the development phase.
Secure coding standards are essential for creating robust applications, and a vital resource in this area is the OWASP Top 10.
The Open Web Application Security Project (OWASP) is an international non-profit organization dedicated to web application security.
The OWASP Top 10 is a standard awareness document for developers and web application security, representing a broad industry consensus about the most critical security risks.
As developers, we can significantly increase the security of our apps by understanding and mitigating these risks.
Many commercial applications are developed using the GitHub platform to host and share source code.
Within a GitHub repository, the "main branch" (formerly known as the “master branch”) refers to the definitive branch containing production-ready source code. This is the final product that will be (or is already) deployed to users.
Developers create separate branches off the main branch to develop new features, fix bugs, or experiment with new ideas. Once these changes are complete, they are merged back into the main branch to make them part of the final product.
Before merging updates or new features into the main GitHub branch, it is critical to conduct a code review. This involves multiple developers examining the new code to spot errors, ensure adherence to coding standards, and share knowledge within the team.
Code reviews are a collaborative effort that not only improves code quality but also enhances the security and maintainability of the application.
Integrating code vulnerability scanning into the build process provides a crucial opportunity to spot security risks early.
Tools like Veracode offer Static Application Security Testing (SAST), which examines custom code and third-party libraries for vulnerabilities.
By detecting any issues during the build stage, developers can fix problems before they escalate into security breaches.
Firewalls serve as a barrier between a company’s secure internal network and untrusted outside networks.
A Layer 3 firewall, based on the Oracle Cloud Infrastructure, filters traffic based on IP addresses and ports.
Meanwhile, a Layer 7 web application firewall goes further by inspecting the content of data packets, protecting applications from complex attacks.
Implementing both layers provides comprehensive protection against a variety of threats.
We regularly scan our applications and infrastructure with tools like Qualys to check for vulnerabilities.
Together with automated penetration testing, this helps to preemptively identify weaknesses by simulating cyberattack scenarios.
The results allow us to apply patches that strengthen our defenses, ensuring each application's resilience against outside attack.
System and Organization Controls (SOC) compliance (also known as "Service Organization Control") is a certification that signifies an application's infrastructure and processes have been audited by a third party to ensure they are secure against cyber threats and data breaches.
A SOC Type I report evaluates the suitability of the design of controls at a specific point in time. It assesses whether the controls are properly designed to achieve the desired objectives according to the relevant trust service principles (security, availability, processing integrity, confidentiality, and privacy).
Organizations typically obtain a SOC Type I report as a preliminary audit to demonstrate their commitment to maintaining a secure and efficient control environment.
A SOC Type II report includes everything in Type I but goes further by evaluating the effectiveness of controls over a defined period (usually a minimum of six months.)
It provides assurance of both the design and the operational effectiveness of the controls at meeting their set objectives.
This provides stakeholders with assurance that the organization’s controls are not only appropriately designed but also consistently applied over time.
Achieving SOC compliance is critical for establishing trust with users and stakeholders.
Trellis also insists that any vendors or subcontractors we use are SOC certified.
Separating functions within the development and development operations (DevOps) teams is a strategic practice to reduce errors and security risks.
These divisions ensure that the process of writing code is distinct from deploying it, which helps prevent the introduction of vulnerabilities through unauthorized access to production environments.
Implementing strong password policies and multi-factor authentication (MFA) is essential for verifying user identities.
MFA, in particular, significantly lowers the risk of unauthorized access, even if the first level password has been compromised.
Defining workflows and roles within an application ensures that users only have access to the functions needed for their role.
This fine-grained access control prevents unauthorized actions within the application, as well as restricting access to certain classes of sensitive data, such as identifying information and financial records.
Encrypting data, both at rest and in transit, ensures that sensitive information is secure from interception and tampering.
This is a fundamental aspect of data security that protects against breaches and builds trust.
Encryption is typically achieved using industry-accepted schemes, such as Secure Socket Layer (SSL), Transport Layer Security (TLS), and Pretty Good Privacy (PGP).
Trellis maintains geographically separated active and passive infrastructure and makes regular automated backups so that we can both maximize uptime and move swiftly to restore services in the event of a disaster.
In the event of a major failure—such as the hurricanes that have shut down Gulf Coast natural gas traders for weeks in the past—operations can be quickly restored, minimizing downtime and data loss.
Taking a comprehensive approach to application security requires attention to detail at every stage of the development and deployment process.
From secure coding practices and rigorous code reviews to robust infrastructure defenses and compliance with security policies, each measure contributes to the overall security of the application.
By understanding and applying these principles, software developers like Trellis Energy can protect their applications from emerging threats and ensure a safe and trustworthy experience for our users.
At Trellis Energy, we believe that a modern natural gas supply chain should be digital, efficient, and easy to manage, ensuring the delivery of clean energy when and where it’s needed. We’re in business to make that a reality for natural gas in North America.
Talk to us about Digital Simplification for your climate, trading, and logistics goals.