Application Architecture

 

Contents

  • Architecture summary
  • Ensuring code quality
  • Application testing
  • Data breach history
  • Risk Assessment

Describe your application’s architecture.

ER Express is a Saas/cloud-based.

Network diagram (also available for download on in the Documents article here: Documents & Certificates

mceclip0.png

How do you ensure data integrity / ensure code quality?

Our VP of Product performs a code review as part of each major release cycle. Before code is pushed to production, we review for:
1/ authentication
2/ user rights / role-based privileges
3/ security configuration
4/ session management
5/ logging
6/ data validation
7/ error handling
8/ encryption

In addition, we regularly scan the application for vulnerabilities using a commercial scanning tool and then develop a remediation plan.

Describe your development / change control / coding practices.

ER Express follows an Agile development method that shares its roots in ITIL. Generally, our process follows:

  • Start with customer goals, written as user stories / needs
  • Develop epics, and then features
  • Organizes user stories into features
  • Define work plans and releases
  • Develop test plans, which are then organizes into requirement-based test suites, with test cases into each test suite for each environment (QA, Production, etc.)

We have three types of releases:
Major release - change in the first digit of the release # - 12-24 hours advance notification, assuming no downtime
Small release - change in the second digit of the releas # - typically, same day notification, assuming no downtime
Bug fix - change in the third # of the release # - typically, notified after the release, assuming no downtime
We rarely have downtime associated with releases; when we do, we schedule the release for off hours (such as 4 am) to minimize the impact to end-users

 

How do you test your application?

Do you perform web application vulnerability testing?

We run a scan at least once a quarter; more regularly if we have a major release.
// We have moved all wiki content related to vulnerability scanning here:
https://erexpress-repo.visualstudio.com/ER Express/_wiki/wikis/ER-Express.wiki/230/Vulnerability-Scanning-Process-for-Security-Reviews

 

Do you perform network vulnerability testing?

Network vulnerability scanning is conducted regularly by Azure. They do not disclose precise scan dates.

 

Describe your patching policy

  • All patching of our software infrastructure (application, servers, etc.) are handled by Azure.
  • All patching our corporate environment (company laptop operating system, for example) are handled by Microsoft and pushed out as updates to each laptop. All staff, including part-time and contractors must use company-configured computers.

 

Has your company and/or data center had a breach in the past 5 years?

No

 

Do you have a risk assessment plan? When was it last updated?

We last performed a risk assessment as part of our annual update to our risk management plan. Our risk management plan is available by request

Have more questions? Submit a request