CobbleStone® Takes CISA's Secure by Design Pledge for as Security Attestation

Security is of the utmost importance in the modern digital age, and we take it very seriously at CobbleStone. In addition to taking CISA's (Cybersecurity and Infrastructure Security Agency) Secure by Design Pledge, we utilize a robust, multi-layered defense to safeguard our clients' data and systems. This blog entry describes some of the most important security measures we have in place, with a focus on our proactive strategy for threat mitigation and data protection.

What Is CISA's Secure by Design Pledge?

The Cybersecurity and Infrastructure Security Agency (CISA) launched the "Secure by Design" program to encourage software developers to incorporate security into the design and development of their products. The goal is to reduce vulnerabilities and make it harder for an attacker to exploit weaknesses in software.

Under this initiative, CISA released the "Secure by Design Pledge," a self-proclaimed commitment by software vendors to adhere to a list of key security goals. By signing the pledge, companies demonstrate outwardly that they are dedicated to building security into their products from the very beginning.

CobbleStone Systems is proud to endorse CISA's Secure by Design Pledge, demonstrating our commitment to developing software that is both reliable and inherently secure from the moment it is deployed. 

Multi-Factor Authentication (MFA) - COMPLETED

CobbleStone Contract Insight^® Enterprise supports Multi-Factor Authentication (MFA), adding an extra layer of security for user logins. Beyond the standard username and password, authorized users can set up additional validation. This can involve requiring a code or answering configurable challenge questions, significantly reducing the risk of unauthorized access.

Default Passwords and Password Management - COMPLETED

We maintain a stringent internal password policy, adhering to NIST guidelines, to secure our corporate network. Key aspects of our password management include:

1. Stringent Password Requirements: We enforce strong passwords based on NIST guidelines.
   
   
2. Password Change Frequency: Regular password changes are mandatory.
   
   
3. Account Lockout Policy: We have an account lockout policy in place to prevent brute-force attacks.
   
   
4. Password Storage: Password managers and default passwords are prohibited.
   
   
5. Password Complexity Rules: CobbleStone Contract Insight System Administrators can configure additional password complexity rules to align with their organization's specific policies.

Reducing Vulnerabilities and CVEs - COMPLETED

CobbleStone is committed to actively monitoring and managing vulnerabilities. Our approach includes:

1. Regular Vulnerability Testing: We conduct monthly Vulnerability Penetration (VulPen) tests and reporting using the Qualys platform. We also utilize specialized tools like PenTest Tools, Probely, and ImmuniWeb. Our vulnerability scanning leverages a comprehensive database of over 35,000 checks, ensuring we stay ahead of emerging threats.

2. Dependency Monitoring: We perform manual source code reviews and Static Application Security Testing (SAST) for all software projects. Each release undergoes thorough vulnerability scanning, including malware scanning and VulPen testing against OWASP standards, using tools like Fortify Static Code Analyzer.

3. Patch Management: Critical OS and software patches are applied immediately upon verification. If a critical patch cannot be applied immediately, the affected services are disabled until the patch is implemented. We conduct weekly audits of our Vulnerability Management reports.

4. Zero-Day Vulnerability Response: In the event of a zero-day vulnerability discovery, we issue an immediate stop usage order for the affected product or service. Our security posture includes keeping systems updated, using antivirus and firewalls, and monitoring networks with an SIEM tool.

5. Security Controls for Public-Facing Applications: We have implemented several controls, including HTTP Strict Transport Security, Content Security Policy, and Cross-Site Scripting Protection, to protect our public-facing applications.

   
   

Security Patches (SaaS Offering) - COMPLETED

For our standard SaaS offering, CobbleStone's dedicated IT resources handle all software and vulnerability patching. Critical OS and software patches are applied immediately upon verification to mitigate security risks. If a critical patch cannot be applied immediately, the affected services are disabled until the patch can be applied. We audit Vulnerability Management reports weekly.

Vulnerability Disclosure Policy and Evidence of Intrusions - COMPLETED

CobbleStone will notify clients as soon as possible (and within one hour of confirmation if unresolved) upon confirming a true intrusion, attack, and/or full denial of service affecting the system(s) a client resides on.

This notification will include:

• A description of the incident.
• A description of the type of information affected by the unauthorized access.
• A description of the actions taken to protect the personal information from further unauthorized access.
• A telephone number for further information and assistance.

We at CobbleStone are committed to the highest level of security for our clients. We recommit ourselves every day to protecting your valuable data and assuring security, integrity, and availability in our services. We continuously review and update our security practices to stay ahead of evolving threats and to earn your trust.

To see CobbleStone in action, book a free demo today!

*Legal Disclaimer: This article is not legal advice. The content of this article is for general informational and educational purposes only. The information on this website may not present the most up-to-date legal information. Readers should contact their attorney for legal advice regarding any particular legal matter.