Zayo implements application security controls on its internal environment systems and applications. Customers must implement their own security controls to protect their own environments.
Does Zayo deploy application firewalls and block unauthorized access to critical systems?
Yes.
Which controls are included in Zayo secure coding practices?
- Protect applications from insufficient anti-automation
- Protect applications from improper access control
- Protect applications from improper error handling
- Protect applications from insecure communications
- Protect applications from attacks on business logic
- Protect applications from format string attacks
Protect applications from XML external entities - Protect applications from insecure deserialization
- Refrain from hard-coding security parameters in source code
- Protect applications from injection flaws
- Protect applications from attacks on data and data structures
- Control user account management
- Restrict direct access of databases to the database administrator
- Protect applications from buffer overflows
- Protect applications from cross-site scripting
- Protect against coding vulnerabilities
- Protect applications from broken authentication and session management
- Protect applications from insecure cryptographic storage
- Protect applications from cross-site request forgery
- Protect databases from unauthorized database management actions
- Refrain from displaying error messages to end users
Which practices are implemented into Zayo’s software development lifecycle?
- Define and document business needs, assess security risks, and establish governance requirements
- Separate development environments from production environments
- Develop secure architecture and establish security controls before development begins
- Ensure secure coding practices and integrate security testing into development
- Implemented separation of duties between developer and production support teams
- Masking/obfuscation of data during testing and destroys data upon completion
- Validate security, compliance, and resilience through rigorous testing
- Ensure secure deployment with change management and monitoring
- Sustain security post-deployment with continuous monitoring and risk management
- Securely retire systems while mitigating risks
Which types of application penetration testing does Zayo perform?
- Web application scanning
- Mobile application penetration testing
- Dynamic code analysis (i.e. DAST, black-box, gray-box testing)
- Static code analysis (i.e. SAST, White-box testing)
- Interactive code analysis (i.e. IAST or RIA)
- Software Composition Analysis
- Application Threat Modeling
- Runtime Application Software Protection (i.e. RASP)
Is security tested as part of the development process for any system or application?
Any new and updated systems must go through testing during the development process. This testing must include the schedule of activities to complete, test inputs, as well as the expected outputs for the conditions being tested. Where applicable, according to the importance and nature of the system, independent acceptance testing must be completed to ensure that the system or code works as expected.
What is covered by application allow listing technology?
Application allow listing technology covers executables, code libraries, and scripts.
How does Zayo control execution of unauthorized software?
Application allow listing technology is deployed on all devices to control software execution and is updated at least bi-annually.
Does Zayo have a policy restricting the installation of software on company-issued devices?
Yes. Software must be approved and installed on company-issued devices by a System Administrator. Internal acceptable use of assets requirements are discussed in the Operational Management Standard. Zayo does not share governance documents in their entirety as they are treated as internal resources that are proprietary in nature. This fosters accountability and confidentiality, guiding teams through crises while ensuring compliance with industry standards. This approach underscores Zayo’s commitment to resilience and security.