Security is a big deal at Flux. Our platform looks after electricity and gas supply and usage for 10 energy retailers in three markets around the globe. We hold a lot of sensitive personal data, so it’s important that we keep it secure for a whole lot of reasons. We have to meet legal compliance regulations, maintain our reputation and uphold our values, so we like to be proactive about keeping things locked down. Here are some of the things we do to keep our users’ data safe.
Our software is built on Ruby on Rails, which makes it easy to write code securely. By following good practice and using the framework’s capabilities, we minimise the risk of leaving ourselves open to common vulnerabilities. It’s hard to write Rails code that’s vulnerable to SQL injection or XXE, for instance.
Every line of code that makes its way to production has at least three sets of eyes over it: the original author and two independent reviewers. The second of these principally looks for security and performance issues.We’re an inquisitive lot, particularly around information security. Lots of the Flux crew attend events like Kiwicon and keep updated on infosec developments. We’re proud to be part of the Open Web Application Security Project (OWASP), a non-profit foundation that works to improve software security. The OWASP Top 10 – a standard awareness document for developers and web app security – is recognised globally by developers as the first step towards more secure coding. We’re working on creating our own secure development training based around the OWASP protocols.
It’s important for us to confirm that our systems are as secure as we think they are. We put ourselves to the test with frequent table-top exercises, where we simulate security incidents and validate our ability to recover from them. We hope that we’ll never have to face situations like our data centre catching fire, or having someone with high-level access go rogue, but it’s good to be prepared. Even though we typically meet the targets we’ve set for ourselves in these exercises, they’re a great way to identify new areas or threats to work on.
We don’t want to get cocky about our security, so we invite outside experts to try to crack our systems at least once a year. These penetration or pen tests are done by a range of specialist security firms – using a different company for successive tests maximises our chances of finding issues. Testers typically conduct a black box test, where they attempt to find exploits in our publicly available system. That’s followed by a white box test and code review. In this test, we give them a look at our source code and they have another go at exploiting our system, armed with insights the source code has given them.
We back these penetration tests up with frequent automated vulnerability scans of our production systems. Our automated build process also includes static analysis tools that spot common coding pitfalls. We know security breaches can happen at any level, so we’ve also submitted to tests by a security firm who use a variety of techniques, including having people in high-vis vests attempting to gain access to our office networks and offices.
As well as ensuring our development is secure and testing the safety of our systems, we have a register of security-related risks. Each risk is ‘owned’ by someone in the business who’s responsible for making sure our mitigations are up to date and effective. That includes managing the risks of a Flux-owned device being lost or stolen. We also make sure that we’re encrypting data at rest, that our password policies are robust and that our crew know what data they should and shouldn’t have on their machines. All our staff go through security and privacy training so we’re well-briefed on everything from what good password hygiene looks like to the basics of GDPR.
We’re also ISO 27001-certified, which means our products comply with a globally-recognised information security standard. ISO 27001 is published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). It’s intended to bring information security under management control by taking a risk-based approach. The current version, ISO 27001:2013, provides a set of standardised requirements for establishing, implementing, operating, monitoring, maintaining, and improving an Information Security Management System (ISMS).
ISO 27001 provides a framework that helps Flux to protect our client and staff information, manage and minimise risk exposure, comply with various contractual and regulatory obligations, build a culture of security and protect our clients’ and our own brand image.
While ISO/IEC 27001 is good practice in general, it also provides the right level of assurance for our existing and future clients. It’s our way of showing our clients and their customers that Flux has been taking a methodical, risk-based approach to securing our platform.
Our commitment to information security doesn’t stop with the certificate – we have to comply with surveillance audits every year and be re-certified every three years. Sticking to the programme makes good sense.
Flux is secure, wherever we are
Our attention to detail when it comes to secure development, security testing and compliance means that we didn’t have to change anything when our offices closed as a result of the Covid-19 pandemic. Our infrastructure was always set up for remote working, so our company-wide shift to our ‘home offices’ has had no negative security impacts. Our clients and their customers can be certain that we’re keeping their data safe, whether we’re working from two offices or 152.