How LOGEX uses Codacy for ISO/IEC 27001:2013 compliance
We spoke with Tim van Loosbroek, Head of Infrastructure and Security at LOGEX, about how Codacy helps them comply with ISO/IEC 27001:2013 and, in Tim’s words, “get a really nice certificate.”
Wondering what isISO/IEC 27001:2013 and why it is relevant? Check out here!
Founded in 2008, LOGEX is a leading healthcare analytics company with the mission of turning data into better healthcare. Currently available in the UK, Netherlands, Finland, Sweden, and Norway, LOGEX aims to become the number one healthcare data analytics provider in Europe.
The main programming languages used by the LOGEX development team include .NET (C#), JSON, JS, Shell, Markdown, Dockerfile, CSS, and SQL. In addition, they use Bitbucket as their version control system.
Dealing with health data
It is well-known that data concerning health is highly sensitive since it consists of information that reveals an individual’s overall health and medical history, going to the very core of a human being. Therefore, LOGEX must respect specific standards to protect those data.
Besides the European GDPR and the Dutch NEN 7510 certificate, LOGEX must comply with ISO/IEC 27001:2013 and prove its compliance to external auditors. Codacy helps LOGEX achieve its highly demanding code security goals to obtain the ISO/IEC 27001:2013 certification.
LOGEX clients know that LOGEX complies with strict standards regarding information security and that the company is carefully handling their highly sensitive health data. According to Tim, “this certification tells our clients we are compliant with good security practices and that they are audited yearly.” In summary, it’s proof that LOGEX is taking security seriously.
LOGEX and Codacy: the perfect marriage for ISO certification
Let’s see precisely how Codacy is helping LOGEX comply with ISO/IEC 27001:2013, particularly with technical control A.14.2.8 about system security testing. This technical control states that testing of security functionally shall be carried out during development.
Complying with the standards is not only for ISO audit day
To comply with the standards and pass the audit, code quality and security are concerns not only on the checkup day but also during the entire development process. For LOGEX, it’s crucial to have a solution that helps both developers and management.
On the one hand, Codacy helps developers meet high-security standards and prevent critical issues and vulnerabilities. On the other hand, Codacy reassures management that all security testing is being carried out throughout their product and gives them an overall view of the quality of the code.
Without Codacy, developers can correct the issues presented in their IDE of choice. Still, they might overlook that information, and there is no validation concerning security management. Quoting Tim, “So of the tools that you use, like ESLint (…) people can also run it in their development environment, in the IDE, but then you have to trust the developer that they do something with it because you cannot control it centrally. So it [Codacy] also allows us to actually use it, and enforce it as a quality gate.”
Developers are also pleased with Codacy because it removes pressure from their side and makes their lives easier when coding. Codacy guarantees the security testing of code written by developers, automatically. As reported by Tim, “when we develop software, and we do that on a daily basis (…) Codacy makes sure that we do security testing on that code, automatically. So the developer doesn’t have to care about it.”
As such, developers don’t need to worry about forgetting a vital security check because Codacy gives them friendly reminders. As Tim noted, “We send our code to them [Codacy], they check it, we have some control over them, what they check (…) and we can set the quality gates, and then we get a result back, and the developers have to do something with that.” In short, developers are more at ease because they know their code is automatically evaluated in every commit and pull request.
There is even healthy competition among developers, using Codacy feedback as a game. They want to have a good overall result and will try to fix as many issues as possible. As Tim stated, “we had some of those developers who really made it their mission to get full unit test coverage (…) they get this gamification, ‘I want to have a good test coverage’.”
During ISO audits, Codacy has LOGEX’s back
When it’s time for the yearly ISO 27001 checkup, Codacy is there to help. As Tim commented, “the way I’m saying it, it sounds less sexy than it is, but by using the [Codacy] tool we can fulfill that requirement and prove to the auditor, and it’s a big help, I think, for our developers.”
In fact, LOGEX developers present Codacy dashboards to the auditor. This is a way to confirm LOGEX complies with the technical controls in A.14.2.8. As Tim explained, “what normally happens when they audit this particular section, they will normally talk to a developer, and they will say ‘ok, explain to me what is your normal development process (…) how do you do security testing?’ (…) they [the developers] will say, ‘we use Codacy, you can see here the results’ (…) log in to the screen and show that it happens.” The auditor then writes in the report that he has seen, first hand, the results of the code analysis.
Direction for the future of LOGEX and Codacy
The next step for LOGEX will be using Codacy for code standardization across all developers and define coding standards. As mentioned by Tim, “we will have some debate on code styles (…) it is something we would like to have.”
LOGEX also plans to use Codacy to improve their quality gates. As Tim explained, “in the end, what we want to do is if it doesn’t meet the quality gates, we will block the pull request.” This additional step will further reinforce their commitment to their already high-security standards.
We look forward to seeing what LOGEX accomplishes in its mission of turning data into better healthcare. Always with code security and quality in mind!