10th November 2021
Infosec 101: What ‘security by design’ means at ComplyAdvantage
By Neil Acworth, Head of Security Engineering
Enthusiasts of space exploration will be familiar with NASA’s infamous Mariner 1 space probe. Launched in 1962 to great fanfare, within five minutes it had veered off course and had to be destroyed. $80m (quite literally) went up in smoke. The incident investigation later revealed that a single mathematical symbol had been misunderstood by a software developer. This typo led to a navigation error and what science fiction writer Arthur C Clarke termed ‘the most expensive hyphen in history.’
My takeaway from this saga? Security is a weak-link game.
Fortunately, in the aerospace industry at least, we’ve moved on from making aircrafts work to making them safe. However, in lots of organizations, software engineering still has to catch up. As engineers, we need to pay attention to the details to make sure that we catch the ‘typos’. But we also need to take a deeper approach to defense because we know attackers will find and exploit any mistakes we make.
At ComplyAdvantage, we recognize that it’s not enough to have perimeter firewalls, anti-virus and regular penetration tests – although we have implemented all of this. We need to engage in security (and privacy) by design. The first step towards achieving this is to understand the evolving threat environment we’re facing – this includes our attackers’ motivations and capabilities. We can then build security in, from the ground up, to meet these challenges.
As a relatively young company, we benefit from not having to nurse legacy software that was built in a much less complex risk environment. Our software is built to address today’s threats. It has multiple layers of protection, it’s cloud-native, and runs largely in ephemeral, short-lived containers that are regularly recycled and updated, making them harder to attack.
There are a raft of automated measures in place to verify the security of our platform, from code analysis tools and gizmos that check for insecure 3rd party components to various flavors of vulnerability scanners. But you can’t simply automate your way to security. So we provide security training for our engineers, we’re recruiting more security specialists (if you’re interested, we’d love to hear from you) and we’re continually assessing how we can improve our processes.
Despite the relative youth of our rocketship company, we’re big and successful enough to have a mature approach to security – but it’s not enough for us to just say all of this. So as well as penetration testing carried out by CREST registered external testers, we have qualified third-party auditors to check up on us regularly. We’re certified to the international standard for information security, ISO 27001, and we’re looking forward to gaining additional credentials as a demonstration of our continued commitment to keeping our customers’ data safe and our service the best on the market.
Disclaimer: This is for general information only. The information presented does not constitute legal advice. ComplyAdvantage accepts no responsibility for any information contained herein and disclaims and excludes any liability in respect of the contents or for action taken based on this information.
Copyright © 2021 IVXS UK Limited (trading as ComplyAdvantage).