abluva doctrine
Pioneering Excellence with Security at its Core,
Where Innovation Meets Unyielding CommitmentAt Abluva, we embody our commitment to excellence by adhering to the principle of doing it right from the start. Prior to the inception of our security software, we meticulously aligned ourselves with the right principles, ensuring that our creations are not only user-friendly but inherently secure. To fortify this commitment, we established secure protocols for product development, incorporating best-in-class User Experience (UX) principles and adhering to industry standards to minimize the learning curve. Our dedication to security is underscored by achieving ISO 27001 certification. Furthermore, we've devised our own robust Secure Software Development Life Cycle (SSDLC), drawing inspiration from industry leaders like OWASP and Google, to ensure the highest standards of security throughout our development process.
Human Machine interface
At Abluva, our Human-Computer Interface Philosophy is the bedrock of our commitment to revolutionising user experiences within the domain of data security. Guided by fundamental User Experience (UX) design principles, we are dedicated to seamlessly merging human intuition with cutting-edge technology. Our HCI Philosophy is encapsulated by the following key principles listed here.
As we navigate the intricate landscape of data security, Abluva's HCI Philosophy stands as a testament to our unwavering dedication to user satisfaction, excellence in design, and adherence to industry standards.
Human First Approach UX Design
- Simplicity
Intuitive and user-friendly interfaces. Minimise cognitive load, and ensure that interactions with software are effortlessly intuitive. - Consistency
Predictability and coherence, fostering a sense of familiarity and reliability across all products. Adhere to industry standards such as ISO 9241-210 for ergonomic design of human-system interaction. - Accessibility
Adheres to accessibility standards, making it usable by individuals with diverse abilities in accordance with WCAG 2.0 guidelines. - Hierarchy
Hierarchy in design, ensures that users can easily navigate and prioritise information based on its significance. - Context
Implement the contextual nature of user interactions, ensuring that the software adapts seamlessly to varying user needs and scenarios. - Feedback
At Abluva we value the importance of providing meaningful and timely feedback to users, ensuring a responsive and informative user experience that fosters user confidence and engagement.
Abluva’s Secure Software Development LifeCycle.
At Abluva, security is not an afterthought; it's an integral part of our software development process. We are committed to building and maintaining secure products that protect our customers' data and systems. This is why we have implemented a rigorous Secure Software Development Lifecycle (SSDLC) that encompasses the entire software development process, from requirements gathering to deployment and maintenance.
Our SSDLC is designed to identify and mitigate security risks at every stage of the development lifecycle. This helps us to prevent security vulnerabilities from being introduced into our products in the first place. In addition, our SSDLC includes a robust testing and validation process to ensure that our products are secure and meet all relevant security standards.
Highlights of Our SSDLC
- We conduct threat modeling to identify and assess potential threats to our products. This helps us to prioritize security risks and develop appropriate mitigation strategies.
- We perform risk assessments to quantify the potential impact of security vulnerabilities. This helps us to make informed decisions about how to allocate resources to security mitigation activities.
- We implement secure coding practices to prevent common programming errors that can lead to vulnerabilities. This includes using strong encryption, input validation, and error handling.
- We conduct a variety of security testing activities, including static application security testing (SAST), dynamic application security testing (DAST), and penetration testing. This helps us to identify and remediate vulnerabilities before our products are deployed.
- We follow secure deployment practices to ensure that our products are deployed securely and that all security configurations are set correctly.
- We have a comprehensive incident response plan in place to deal with security incidents in a timely and effective manner.
Our Commitment to Security
We are committed to continuously improving our SSDLC and to staying up-to-date on the latest security threats and vulnerabilities. We believe that our SSDLC is a key factor in our success and that it helps us to deliver the secure and reliable products that our customers demand.
Product Development Process
Overview of Product Development Process
Proof of Concept
Focus : Testing the waters (black-boassessment)
Activity : Ensure the OSS or otherwise libraries being used are reliable, scalable, and functionally rich to support product roadmap. Using the library with various inputs/sources, testing key capabilities are some of the activities done in this phase.
Outcome : List of foundational libraries to use.
Initial code tinkering
Focus : Building initial code understanding
Activity : In this phase, we start making changes to the available code, create specifications, skeletons, hooks (for later use), put hardening to-do hints (e.g. use SSL, pull password from secrets manager), and use stubs for testing the changes. Microservices with clear boundaries should start emerging here.
Outcome : List of foundational libraries to useModified (extensible) code, specifications.
Basic integration
Focus : First hop integration
Activity : Neighbouring modules align themselves as per specification, and run a connected flow.
Outcome : Semi-connected platform.
Control plane
Focus : Multi-hop Integration
Activity : Integrate all the components - centralise authentication, Authorization, have basic gateway, use client-IDs, unify datastores.
Outcome : Integrate all the components - centralise authentication, Authorization, have basic gateway, use client-IDs, unify datastores.
Cloud enabled
Focus : Cloud enablement
Activity : Setup cloud services, replace dockerized services with managed.
Outcome : Platform running on cloud.
Quality version
Focus : Quality (including code security)
Activity : Extensive feature testing, code reviews, edge cases, shift-left security and general SAST/VAPT.
Outcome : Functionally stable version (w/o security issues)
Scalable version
Focus : Scalability
Activity : Performance testing, load/stress testing, pod-scaling, resilience,web-loading times, query optimisation, ALB/NLB/Envoy.
Outcome : Infinitely scalable platform
Automated operations version
Focus : Deployment/Operations automation
Activity : Create Ansible/helm-chart/terraform scripts, enable monitoring, define metrics and alerts, define notification templates.
Outcome : Automated deployment, monitoring and control.
Secure version
Focus : Secure cloud operations
Activity : Cloud hardening, CIS checks, kubernetes security policies, ECR scans.
Outcome : Secure infrastructure for deployment
Compliant version
Focus : GxP compliance
Activity : Infrastructure qualification, Operational qualification, summary reports, security report.
Outcome : GxP compliant platform
Product Development Process
Proof of concept
Conducting a black-box assessment, we rigorously evaluate the reliability, scalability, and functionality of OSS libraries for our data security product. Through diverse input testing, we aim to identify foundational libraries aligning with our product roadmap, ultimately yielding a curated list of essential tools.
Initial code tinkering
Initiating the code development journey, our focus lies in comprehending the existing codebase. Through activities such as crafting specifications, creating skeletons, establishing hooks for future enhancements, and embedding hardening hints (e.g., SSL implementation, secure password retrieval), we pave the way for the evolution of microservices with distinct boundaries. The ultimate outcome is a strategically modified and extensible codebase, accompanied by comprehensive specifications.
Basic Integration
In the phase of first hop integration, our emphasis is on aligning neighboring modules according to specifications, ensuring a seamless connected flow. The result is the establishment of a semi-connected platform, where these integrated components work cohesively to lay the initial foundation for a robust and interoperable system.
Control plane
In the pivotal stage of multi-hop integration, our primary activity involves the comprehensive integration of all components. This includes centralizing authentication and authorization, implementing a foundational gateway, incorporating client-IDs, and unifying datastores. The ultimate outcome is the establishment of end-to-end value-added flows. Initially, this phase serves as the bedrock, providing a foundation that not only streamlines existing services but also facilitates the seamless addition of more services in the future.
Cloud enabled
In the strategic focus on cloud enablement, our primary activity involves setting up cloud services and transitioning from dockerized services to managed solutions. This transformation culminates in the successful outcome of our platform running seamlessly on the cloud, leveraging the scalability, efficiency, and managed features provided by cloud infrastructure.
Quality version
In our dedicated pursuit of quality, encompassing both functionality and code security, our activities revolve around extensive feature testing, meticulous code reviews, consideration of edge cases, and the implementation of shift-left security practices, including Static Application Security Testing (SAST) and Vulnerability Assessment and Penetration Testing (VAPT). The intended outcome is the delivery of a functionally stable version devoid of any security issues, ensuring a robust and secure software product.
Scalable version
In the pursuit of scalability, our strategic focus involves rigorous performance testing, load and stress testing, pod-scaling for dynamic resource allocation, resilience testing, optimization of web loading times, and fine-tuning query performance. Additionally, we implement technologies like Application Load Balancers (ALB), Network Load Balancers (NLB), and Envoy to enhance scalability. The desired outcome is the creation of an infinitely scalable platform, capable of seamlessly handling increased workloads and ensuring optimal performance under varying conditions.
Automated operations
In the pivotal focus on deployment and operations automation, our key activities include the creation of Ansible, Helm Chart, and Terraform scripts. Concurrently, we establish a robust monitoring framew`ork, define essential metrics and alerts, and craft notification templates. The ultimate outcome is the realization of automated deployment processes and a comprehensive monitoring and control system, streamlining operations for increased efficiency and reliability.
Secure version
In the dedicated focus on securing cloud operations, our activities revolve around cloud hardening practices, implementation of Kubernetes security policies, and regular Elastic Container Registry (ECR) scans. The intended outcome is a fortified cloud infrastructure and Kubernetes environment, ensuring a robust defense against potential vulnerabilities and threats. This comprehensive approach contributes to the creation of a secure cloud operations environment, enhancing the overall resilience of the system.
Compliant version
In our emphasis on GxP (Good Practice) compliance, key activities include infrastructure qualification, operational qualification, generation of comprehensive summary reports, and a thorough security report. The ultimate goal is to establish a GxP-compliant platform, ensuring that the infrastructure and operations adhere to the stringent quality standards outlined in regulatory frameworks. The outcome is a platform that meets the necessary criteria for reliability, security, and traceability, aligning with GxP compliance requirements.