ABC-Plan Security Policy

Security isn’t just a buzzword at ABC-Plan; it’s a foundational principle that guides everything we do. Your data’s safety is our top priority, and we employ a variety of industry-leading strategies to ensure it. Learn how our quality practices reinforce these security efforts.

Our Security Framework

We prioritize security through a multi-faceted approach that aligns with stringent industry standards. Our security governance ensures robust protection for both our organization and your data. We employ SecOps—Security Operations—to merge security practices with IT operations, bridging the gap between development and operations teams. Our DevSecOps program seamlessly integrates security throughout the entire software development lifecycle. Additionally, we follow the NIST Cybersecurity Framework, incorporating its core functions: Identify, Protect, Detect, Respond, and Recover. This helps us conduct regular risk assessments, enforce strong access controls, provide continuous monitoring, and maintain robust incident response and recovery plans, ensuring comprehensive protection against cybersecurity threats.

DevSecOps

Our DevSecOps program is designed to integrate security into every phase of the software development lifecycle. From initial requirements to release, we adhere to stringent security standards and employ a comprehensive set of tools and practices to ensure robust protection against threats.

Requirements: Security by design. We follow the OWASP Application Security Verification Standard to ensure security considerations are integrated into project requirements.
Design: Our approach involves “red team” thinking using tools such as Threat Dragon in conjunction with ChatGPT, that help us identify and address potential threats during the design phase.
Implementation: We conduct security code reviews to identify and mitigate vulnerabilities in the implementation phase.
Testing: We are constantly raising the bar on testing including areas such as Software Composition Analysis (SCA), Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Penetration Testing (Pen Testing). Specific tools include Snyk, Semgrep, OWASP ZAP, Sentry, all orchestrated with Gitlab Security.
Release: We prioritize security in the release phase with practices such as credential refreshing, auditing, monitoring, and maintaining a Product Security Incident Response Team (PSIRT) with a CVSS calculator for assessing vulnerabilities.

Key Security Basics

Getting down to nuts and bolts, here are some of the basic methods we use to safeguard your data:

Input Validation: Ensures only properly formatted data is allowed.
Encryption: Scrambles your data in transit and at rest to make unauthorized access virtually impossible. We use AES (Advanced Encryption Standard) for encrypting data at rest, and TLS (Transport Layer Security) for encrypting data in transit (source: GCP). Google manages cryptographic keys using its own hardened key management systems (source: GCP).
Authentication (AuthN) & Authorization (AuthZ): Verifies who you are and what you can access.
Security Configuration: Toughens the security settings of our apps and systems.
Monitoring: Provides round-the-clock surveillance for early threat detection.
Credential Refreshing: Keeps access keys and passwords updated regularly.
Auditing: Monitors operational outcomes for consistent performance.
Logging: Keeps a secure record of all actions and changes, including authentication attempts and failures to detect potential unauthorized access.
Session Management: Secures user sessions from start to finish.

Password Policy: Customers

ABC-Plan utilizes Google Firebase Authentication, a secure, enterprise-grade authentication system that ensures robust protection for your user accounts.

Enterprise Single Sign-On: Customers can opt for Single Sign-On via SAML integration, allowing organizations to manage authentication through their existing identity providers and apply their own password policies.
Password Strength Requirements: For standard authentication, we enforce strict password requirements. Passwords must be between 8 and 100 characters in length. We implement the zxcvbn password strength estimator developed by Dropbox and require passwords to achieve the maximum strength score of 4, which ensures protection against even sophisticated offline attacks (requiring 10 billion or more guesses to crack). For more details on this scoring system, see the zxcvbn documentation.

SecOps

Our SecOps strategy ensures comprehensive protection and operational efficiency through regular penetration testing, stringent data backup routines, and adherence to GDPR regulations. We employ a multi-layered virus control approach including automated scanning of file uploads, regular system scans, and industry-standard malware detection tools integrated with our cloud infrastructure. We prioritize system maintenance, asset management, and cybersecurity training, while maintaining a high service level with a 99.9% monthly uptime and proactive breach notification protocols.

Penetration Testing: We conduct regular internal penetration tests to identify and rectify vulnerabilities. Our systematic approach includes defining objectives, assembling teams, executing tests, and analyzing results.
Backups: We take nightly data snapshots to safeguard against loss and test disaster recovery quarterly.
GDPR Compliance: We handle your data in compliance with GDPR regulations.
Training: Cybersecurity awareness training.
Asset Management: Track and manage physical IT assets.
Maintenance: Regular system maintenance of production systems and IT assets.
Service Level: We provide a Monthly Uptime Percentage of 99.9% and the underlying Google Cloud Platform provides uptimes in the same or better ranges (for more information see Google Cloud Platform Service Level Agreements).
Notification: In the unlikely event of a data breach, we will promptly notify affected customers upon detection and after conducting a preliminary investigation, ensuring they receive timely and sufficient information.

Password Policy: Employees

Employees and contractors are required to use passwords that are at least 12 characters with a mix of letters, numbers, and symbols. Passwords should be changed at a frequency reflecting the level of security needed for the system, for example every 90 days for systems that access customer data. Passwords should be stored in a secure password manager for storage and management. Activate 2FA when offered by 3rd party systems.

Related Security Policies

Below are security policies for products and infrastructure that we rely on:

ABC Plan Domain Whitelist Requirements

For customers who access ABC-Plan from networks with strict security policies, the following outlines the official Google Cloud domains that may need to be whitelisted in corporate firewalls to ensure proper functionality of the application.

Web Application Frontend

Domain Pattern: *.firebaseapp.com
Example: https://abc-plan-prod.firebaseapp.com
Purpose: Hosts the main web application interface
Official Documentation: Firebase Hosting documentation

First-Generation Cloud Functions

Domain Pattern: *.cloudfunctions.net
Example: https://us-central1-abc-plan-server-prod.cloudfunctions.net
Purpose: Hosts serverless backend functions (API endpoints)
Official Documentation: Cloud Functions documentation

Second-Generation Cloud Functions

Domain Pattern: *.a.run.app
Example: https://abcgcfhealthcheck-2o5s2viyka-uc.a.run.app
Purpose: Hosts newer serverless backend functions
Official Documentation: Cloud Run documentation

Contact Us

Questions about our security measures? Reach out to us at [email protected]. If you would like to speak to our Designated Privacy Officer, our cofounder & CTO, Michael Osofsky, would be glad to discuss any security topics you wish to discuss; his contact information is just his first name at our domain name.