We get this question pretty often: how you ensure the product is secure? We of course can not guarantee there will never be vulnerabilities (in fact they were, just check NVD) but before we share with you our methodologies, think of this:
- Our code is open, if there is a bug or security issue it wont be hard to exploit it or notice it.
- Our user base is considerable, around 5-6 thousands as of today.
- We basically serve the security industry, many security experts test our product thousands of times every year.
- By being open a produce does not have “secrets” – the long “security by obscurity” (which is what you get from a closed code vendor) does not apply and that is great. Just google why open-source is as or more secure as closed products.
Now, how we build eramba securely?
- We have the same development team since pretty much day zero, they know the app and the community very well. Having no attrition means education and knowledge is not dispersed.
- The very founder of eramba has been involved in application security around europe since 2007 as a speaker, contributor, etc. You can Google it. We understand application security, although this is not a guarantee of anything, is a big plus.
- We have asked friends in the industry to review some of the key functionalities in eramba manually, we dont do this more than once a year approximately.
- Every functionality we build is documented from a functional and testing perspective, this means that we document security controls and how they will be tested as we design a functionality. This is built in in our Github workflows and reviews (see https://roadmap.eramba.org)
- We scan our software with Acunetix on pretty much every release, we make these scans public on our enterprise forum too. Anyone can see them.
What if we make a release that contains a security bug?
- We fix it just like we fix stuff every day.
- We make an urgent release (it typically does not take more than a couple of days)
- We notify customers on our forum and explain the issue
Has this happened?
- Once (discovered by a customer of ours with whom we collaborated and jointly made the bug public on NVD) but of course it will happen in the future! Anyone who builds software at this scale understands this, that is why facebook, microsoft, etc had, have and will have problems.