Beacon product security is another foundational element of the security program. A risk-based design approach supports a secure system design and development process. Our Product Security program leverages key elements such as security centric system design, continuous risk assessment of critical components, experienced embedded security teams, and regular code security analysis of all developed system components.
Secure System Design
Beacon leverages a security centric design approach that prioritizes implementation of layered controls focused on minimizing component, integration, and system risk. This includes:
Implementation of a least privilege design program;
Clear separation of duties within the system operation;
Leveraging a layered security design approach (defense-in-depth);
Required mediation of all system activities and operations (zero trust);
Principle of security-in-the-open (e.g., secure coding practices, test for vulnerabilities, use of secure development tools);
Detailed risk assessments of system components; and
Identification, assessment, and implementation of key security features for all integrated components to support total security posture.
Security Risk Assessments
Beacon’s risk management standards establish a series of steps for assessing risk:
Define system and component scope. This includes detailing a comprehensive resource list and outlining touch points between each resource.
Collect operational, implementation, and integration details about each system and component.
Evaluate the system architecture for risks.
Establish a testing plan for each system, component, and their integration points.
Perform third-party vendor and supply chain risk reviews to limit impacts to system operation and development.
Finalize assessment by rolling up all risks to an overall risk posture for the system.
These steps allow the Beacon team to assess risk exposure throughout the design process with an intentional focus on risk mitigation while building security-focused components into the overarching system design.
Embedded Security Teams
The Beacon team includes an embedded security team focused on continuous management of the system security profile. Some key functions of the security team are outlined below:
Continuous security posture management
Threat Monitoring, Identification and Assessment
System operational reviews including log monitoring and alerting
Real-time vulnerability management
Operational security management (e.g., policy updates)
Security reviews (e.g., design, code)
The security team is responsible for maintaining a security-first culture within Beacon.
Code Security Analysis
The Beacon team employs multiple tools to assess vulnerabilities at different stages of the development, testing, and implementation process. Code security analysis techniques include:
Assess code and integrated libraries for emerging vulnerabilities.
Live scan code as it is checked into the source repository.
Perform regular internal and external scans of the production environment.
Static and dynamic code application security testing.
Detailed role-based access control to limit access to assigned support staff only.
Regular review against the OWASP Top 10 and the CWE Top 25.