By Dave Brown, Head of Security and Compliance at Andesite
Building software that is secure by design is at the heart of what we at Andesite are passionate about – it’s the core of our mission and what we pursue as a security vendor. That’s why we proudly signed the CISA Secure by Design Pledge. From foundation to general availability, and since then, we have diligently worked through the Pledge goals to build security and compliance within our product.
We have developed an internal auditing process with over 450 continuous monitoring controls that constantly validate our work against the Pledge, and we’re proud to openly share that in our Trust Center. That is one of many measures we take to ensure built-in security, compliance, and privacy controls for our customers’ and their customers’ data and networks.
Multi-factor Authentication (MFA)
We are fully committed to implementing multi-factor authentication (MFA). Our Shared Security Responsibilities Matrix outlines that all customers must use their identity provider (IdP) with MFA as part of our commitment to security by default. We integrate with all major identity providers and require that 100% of our customers link their platform instance to their IdP and MFA. We also collaborate with our customers to facilitate the integration of their IdP and MFA during the onboarding process.
Default Passwords
The customer is responsible for addressing default passwords, as we require them to use their identity provider and multi-factor authentication for administrator and user access to our platform. Our primary goal is to help reduce their risk by ensuring that they maintain user access through their chosen identity provider and meet multi-factor authentication requirements.
Reducing Entire Classes of Vulnerability
We have made tremendous progress by implementing tools to address vulnerabilities in our systems at three stages. This includes Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST). These tools enable us to identify vulnerabilities throughout our development, staging, and production phases.
Additionally, twice a year we undergo penetration testing and artificial intelligence assessments to ensure our AI systems’ strong security, compliance, and trustworthiness. We have also partnered with a security company specialized in attack resistance management, continuous assessment, and process enhancement for our Bug Bounty program.
Looking ahead, we are committed to developing a vulnerability notification program for our customers, which will include information on Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) as part of our comprehensive application security (AppSec) strategy.
Security Patches
As our Shared Security Responsibility Matrix outlines, we are responsible for security patching. We conduct quarterly Approved Scan Vendor (ASV) scans and assessments to prepare for the Payment Card Industry Data Security Standard (PCI DSS). Customers who self-manage our product are responsible for all security patches on those systems.
Evidence of Intrusions
Customer notifications are an essential part of our Incident Response Plan. For confirmed or suspected security incidents, we will collaborate with our customers in good faith to provide the necessary logging to support incident response efforts and meet any regulatory requirements to which the customer must adhere. Customers are fully responsible for evidence of intrusion, logging, or user access, and for providing their IdP with the credentials required for access to their Andesite single-tenant instance.