Secure by Design

Security is at the core of our company. Vaultes first started as a strictly cybersecurity firm in 2016, and over the years we have expanded our work from commercial cybersecurity services into government cybersecurity and more recently, digital services. Though we have evolved our services beyond cybersecurity, security remains a core approach to our work. 

Digital Services at Vaultes is broad and includes end to end development with a strong focus on DevSecOps, Platform as a Service (Paas), and Infrastructure as a Service (IaaS), across a range of tech stacks. We have strong human centered design expertise that includes content design, research, service design, 508 compliance, and information architecture. While we’re experts in a range of methods, tools, and development languages, our work centers on these core values: 

Security should always be a top priority for digital assets, starting from the very beginning.  It is far easier to build security into a solution from the beginning, rather than refactor it later. We work in an agile, iterative approach, but believe that even an MVP or V1 should incorporate security best practices from the get-go by selecting the appropriate tech stack.  

This, naturally, begins by building a solution to user needs. Our teams are experts at aligning with clients on requirements at the very beginning of the project, and working closely with our stakeholders and our users to understand exactly what needs to happen and when in order to deliver the right solution.  

The right solution should be extensible, but that doesn’t mean the team needs to build immediately for all future needs. Our teams know how to balance the immediate needs of a v0 with the future proofing needs of a fully built out solution. We aim for simplicity over complexity, as complexity for complexity’s sake can introduce additional attack vectors and security gaps. We leverage modular or microservice architectures to minimize failure potential, maximize fault tolerance, reduce dependencies, ensure scalability, and allow for more robust test coverage and security monitoring. Containerization and mature CI/CD practices means we have environment parity and incorporate reliable security and functional testing across all environments. We utilize industry best practices and trusted tooling for dependency monitoring and patch management.  

Overly complex solutions that require too much upkeep to stay secure are bound to introduce vulnerabilities either through code-based or user vectors. Users will always find convenient workarounds if a solution is not intuitive. In urban planning and built environments, these workarounds are known as desire paths. If a sidewalk or path does not represent the most convenient route for a pedestrian, they will develop their own. [insert image of desire path].  

A desire path often introduces security vulnerabilities. As another example, imagine your employee must use a complex password to log in to a company tool. If those password requirements are too complicated, your employee will resort to writing their password down on a post-it note and leaving it on their desk for all to see- rendering   your security posture moot. Our simple approach encourages users to use digital platforms intuitively, ensuring that metaphorical post-it notes are never needed.  

We leverage open-source tech stacks and tools as much as possible for several reasons. One, popular open-source technologies have robust user communities that provide extensive monitoring and “peer review” over vulnerabilities, errors, patches, and version updates. Not only are such tools and languages supported by a deep well of experts and contributors, but they are also often free or low cost to utilize, ensuring a high return on investment. When appropriate, we utilize off-the-shelf (OTS), custom-off-the-shelf (COTS) tools, Software as a Service (SaaS), PaaS, and IaaS tools. By leveraging tooling and services that have dedicated support and development teams we benefit from additional layers of security in addition to what our team can provide. No solution is 100% secure, but by taking a Swiss cheese model to risk management [insert swiss cheese model graphic], we can ensure that we have multiple methods and channels for identifying potential vulnerabilities.  

In addition to our tech stack choices, we are experts in building robust DevSecOps practices that incorporate security, quality, and compliance throughout the development and release lifecycle. This will include incorporating automated security testing, vulnerability scanning, and continuous compliance monitoring into our Continuous Integration and Deployment (CI/CD) pipeline, ensuring that security measures are consistently applied with every code deployment. 

We build monitoring application health into all our projects, using native tools such as AWS CloudWatch or third-party monitoring services to track DevOps Research and Assessment (DORA) metrics, application health, performance, and user activity.  

Our cybersecurity roots bleed into our digital services projects. Vaultes has completed over 140 assessments for federal systems, including for Federal Information Security Modernization Act (FISMA) Moderate and High-Value Assets. As a certified FedRAMP 3PAO, we undergo independent testing and certification to ensure our expertise in auditing, as well as NIST 800-53 and 800-37 Risk Management Framework (RMF) processes. We understand what it takes to make systems and solutions compliant.  

We iteratively release via Agile development methods with structured roll-back processes in place. This allows our teams to quickly course correct or release patches to improve security postures. All of these practices ensure that we are proactively thinking about security from gathering user requirements through release to operation and maintenance.  

Case study: Small Business Administration SBA.gov  

Over the past three years, our Development and Cloud Engineering team has been an integral partner in developing a modernized and consolidated architecture for flagship SBA.gov. We refactored SBA.gov from a decoupled content management system to an AWS hosted recoupled architecture and fully updated to the most recent Drupal version. We leveraged the United States Web Design System (USWDS) to develop a customized theme that adhered to security and design best practices. Throughout this process, our team used Agile development methods to incrementally decommission the legacy SBA.gov system and migrate content to a new Drupal application. This approach allowed our team to continue operations on SBA.gov while simultaneously implementing the new Drupal architecture. Perhaps most importantly, this method enabled us to address ongoing needs, such as implementing security updates, during the upgrade. 

Our team chose to use Drupal and open-source and off-the-shelf technologies like LAMP stack, IaaS and PaaS tools, and USWDS for this effort for several reasons: they allowed us to move quickly, ensure high performance and high support, and we could leverage multiple layers of security and best practices baked into the technologies themselves. Drupal, for instance, is enterprise-ready, and has security practices baked in such as form data validation, brute force detection, and admin dashboards for auditing login attempts and account provisioning – all of which reduce potential security vulnerabilities like code injections or insecure identify management processes. As a content management system, Drupal has database encryption which can be customized according to Federal and state-specific laws. Drupal provides extensions, called modules, to further customize a site’s functionality, all of which are built with internal security protocols that make it harder for hackers to create vulnerabilities. Since the new SBA.gov is hosted on AWS, there are additional built-in features that improve performance and reduce attack vectors and exploits like DDoS attacks. 

We also implemented cybersecurity services to safeguard SBA.gov such as robust logging, continuous monitoring, code sniffing and dependency management tools, and security and uptime alerting to meet SBA’s stringent security requirements. Architecture diagrams and other essential documentation were produced for the system’s Authorization to Operate (ATO) packages development, which are crucial for managing and mitigating security risks.  Our work with SBA.gov is just one example of how our cybersecurity roots permeate all of our projects. If you’d like to learn more about our approach to Digital Government Services and our Secure by Design practices, schedule time to speak with us at info@vaultes.com.