People make mistakes. We’re only human. But in business, human error can become a risk — whether nefarious or accidental. The fact of the matter is that the majority of security flaws come from people in the organization. In a traditional software development enterprise, people are vetted, badged, and trained on security best practices. You can expect a certain degree of error there. Topcoder, on the other hand, isn’t traditional; we go on the offensive because we don’t have badged employees. People don’t swipe to get access. We don’t host in-house security trainings. Instead, we treat every interaction as a secure one. We use the following security and confidentiality processes to make sure that nothing is left behind or left unchecked, and that our customers are always protected.
Security and IP screening software
Most software and data security breaches are the result of something unintentional. So above all else, we need to embrace technology to ensure we are not letting any code, design, or algorithm go unchecked. Starting with the simple fact that we always use secure channels to transfer any IP, this enables us to systematically monitor and track the lifecycle of our customers’ digital assets. At Topcoder, we use a combination of best-of-breed static analysis code scanning and IP screening combined with in-house technology. We use artificial intelligence and advanced heuristics to certify the security, adherence to standards and best practices, and even authenticity of the code. When it comes to security, being on the offensive is a great defense.
Process and code reviews
Software alone isn’t enough. We also put processes in place to make sure things go according to plan. Specifically, we atomize code, both to protect our customers’ privacy and to remove single points of failure such that no one person is physically able to connect independent pieces to do something nefarious. At Topcoder, it’s our code reviews that determine who gets a paycheck at the end of the day. Everywhere else, the code check is done by a peer down the hall. It’s done after the fact, and more as a review of the person than as a review of the code itself. Our code checks are serious; because they determine who gets paid, there’s an inherent responsibility to get it right the first time around.
We use the best and most accomplished members of our community to perform anonymous code reviews. Not only is it much more accurate and efficient than having dedicated internal staff or customers perform the reviews, but it also ends up producing higher-quality outcomes; the redundancy in the number of reviewers ensures the veracity and quality of the reviews themselves. In this sense, we even use crowdsourcing to generate more accurate code reviews.
Contracts, rules, and regulations
What security measure has been around the longest? Contracts. Of all the things, a business can do to protect their customers, a signed contract should be lowest on the totem pole. And for us, it is. The signed piece of paper that traditional companies use as their standard is our weakest link. Contracts only provide a single layer of security. They’re good to have (and still necessary), but in the digital age, they’re no longer enough. If you’re going to the contract to resolve an issue, it’s already too late.
When Topcoder Community members submit to a challenge, there are extensive rules and regulations in place — red tape that further qualifies competitors and their submissions. Our rules and regulations are also far more specific than that of a traditional company because we apply them, reference them, and enforce them on every interaction that shares or produces IP. Most companies apply and enforce them twice: at the time of hire and at the time of exit.
All of that being said, businesses don’t need to sacrifice innovation for security. Through secure software channels, IP screening tools, peer reviews, rules and regulations, contracts, and code scans, Topcoder delivers the safest possible experience for our customers, while also providing the most innovative method of technology delivery.