The common question I get from our clients and prospects about EngageOne Compose is… “Is it secure and can you share some insights." Every Request for Proposal (RFP) from an opportunity has a full section on security with at least ten questions. In most cases, they are similar.
Today, I will give you a behind the scenes tour of the EngageOne Compose security process we follow to deliver a robust and secure product to our clients. We follow a 4-step process to secure EngageOne Compose solution from any vulnerabilities. Here are the steps
- Discover
- Evaluate
- Communicate
- Test
- Deliver
Curious to know the details? Read on…
Discover
There are two ways to know if a vulnerability exists in a product.
- Run a scan to find out
- Client reports a vulnerability
These two ways apply for EngageOne Compose too. Engineering team runs periodic scans to find potential vulnerabilities using Checkmarx tool. At times, we also get reports of vulnerabilities from our clients when they run an internal or external scan. In both cases, we create an issue in JIRA and prioritize for review.
Evaluate
In this step, we determine the severity of the vulnerability. This step will result in one of the two actions
- The engineering team will publish a patch for any critical vulnerability
- The issue gets added to the backlog for a fix in a future release
If you haven’t noticed, we don’t leave any issue without taking an action.
Communicate
Pitney Bowes follows an open and transparent communication in everything we do. We make sure our clients receive regular updates on all their open issues. We will never leave you in the dark. You will know when to expect a fix for the defect, this will help schedule any required downtime for applying the patch.
Test
Every new patch goes through our standard testing process. The process includes running a full suite of tests. We make sure the patch does not create new defects. We approve the new patch only if all the tests pass without any errors.
Deliver
The patch is made available for download through an announcement. If the patch is only for a specific client, we update the support issue and provide the patch.
The above process is working well to fix critical vulnerabilities and remediate any remaining vulnerabilities in future releases.
If you have any questions about the process or curious to learn more, please start a discussion, and I will join to share my comments.