- Architecture summary
- Ensuring code quality
- Application testing
- Data breach history
- Risk Assessment
Describe your application’s architecture.
ER Express is a Saas/cloud-based.
Network diagram (also available for download on in the Documents article here: Documents & Certificates
How do you ensure data integrity / ensure code quality?
Our VP of Product performs a code review as part of each major release cycle. Before code is pushed to production, we review for:
2/ user rights / role-based privileges
3/ security configuration
4/ session management
6/ data validation
7/ error handling
In addition, we regularly scan the application for vulnerabilities using a commercial scanning tool and then develop a remediation plan.
Describe your development / change control / coding practices.
ER Express follows an Agile development method that shares its roots in ITIL. Generally, our process follows:
- Start with customer goals, written as user stories / needs
- Develop epics, and then features
- Organizes user stories into features
- Define work plans and releases
- Develop test plans, which are then organizes into requirement-based test suites, with test cases into each test suite for each environment (QA, Production, etc.)
We have three types of releases:
Major release - change in the first digit of the release # - 12-24 hours advance notification, assuming no downtime
Small release - change in the second digit of the releas # - typically, same day notification, assuming no downtime
Bug fix - change in the third # of the release # - typically, notified after the release, assuming no downtime
We rarely have downtime associated with releases; when we do, we schedule the release for off hours (such as 4 am) to minimize the impact to end-users
How do you test your application?
Do you perform web application vulnerability testing?
We run a scan at least once a quarter; more regularly if we have a major release.
// We have moved all wiki content related to vulnerability scanning here:
Do you perform network vulnerability testing?
Network vulnerability scanning is conducted regularly by Azure. They do not disclose precise scan dates.
Describe your patching policy
- All patching of our software infrastructure (application, servers, etc.) are handled by Azure.
- All patching our corporate environment (company laptop operating system, for example) are handled by Microsoft and pushed out as updates to each laptop. All staff, including part-time and contractors must use company-configured computers.
Has your company and/or data center had a breach in the past 5 years?
Do you have a risk assessment plan? When was it last updated?
We last performed a risk assessment as part of our annual update to our risk management plan. Our risk management plan is available by request