Security

Over 1+ Million users across the globe trust us with their data being processed by our products. We back ourselves up with robust data security and privacy practices that form an integral part of our product engineering and service delivery principles.

Data Security

We back ourselves up with robust data security and privacy practices that form an integral part of our product engineering and service delivery. We abide by the security & privacy by design principles. These principles have a robust framework for building and maintaining secure systems, applications, and services that address security and cybersecurity considerations by default and by design. We have a top-down governance and security in our DNA that lets us constantly wade through our threat vectors and calibrate to strengthen our security posture. These help us align with the changing business and technology landscape.

LambdaTest has implemented and maintains appropriate technical and organizational measures designed to protect customer’s personal information as required by Data Protection Law(s).

For further details please refer to our information security policy.

Information Security Policy...

Version: 1.2Effective from: July 22, 2022

1. Executive Summary...

LambdaTest Inc (herein referred to as ‘LambdaTest’ in this document) is committed to ensuring Confidentiality, Integrity, Availability, and Privacy and providing comprehensive protection to its information assets against the consequences of confidentiality breaches, failures of integrity interruptions to their availability.,

LambdaTest is a SaaS-based continuous quality testing cloud platform that is used by over 2 Million developers and testers globally. With over 3000+ combinations of real browsers, mobile devices, and operating systems, it helps developers and testers to perform cross-browser and cross-platform compatibility testing at scale with blazing fast speed. Also, it helps them run tests on containers at scale and supports on-prem or private cloud deployment model. We believe in providing products that are ready to Go-To-Market, easy to set up and use, and require minimal customization. All of our products live up to this promise and are backed by our world-class support.

Our Customers include Fortune 500 & G2000 companies from across the globe and they trust us with their data security. We back ourselves up with robust data security and privacy practices that form an integral part of our product engineering, technology landscaping, and service delivery principles.

In support of the Security & Privacy by Design, security is at the heart of how we build our products, secure your data and provide high resilience. We have created and implemented security & privacy principles. These principles have a robust framework for building and maintaining secure systems, applications, and services that address and allow us to integrate a set of standards, guidelines, and best practices for managing information security, cybersecurity, data security, and privacy consideration or related risk by default and by design while ensuring its adherence to multiple requirements globally.

We have atop-down governance and security in our DNA and this helps us to constantly wade through our threat vectors and calibrate and strengthen our security posture to align with the changing business and technology landscape.

2. Scope...

This policy applies to all LambdaTest employees, assignees, partners and contractors that provide services to LambdaTest and is an integral part of the Business Code of Conduct.

This also covers the security of information systems and data networks owned or used by LambdaTest as well as the information that is stored, transmitted, or processed by those systems.

3. Applicability...

LambdaTest is committed to complying with all applicable legislation and law of the land in all locations and countries related to its operations and information processing.

Key legislation that is complied with include laws related to corporate governance, employee relations, data privacy, intellectual property, and financial reporting.

4. Leadership & Commitment...

Executive leadership (Top Management) members are a part of the internal Information Security & Compliance Steering Committee (ISCSC), which ensures that all LambdaTest commitments to Customers and stakeholders are upheld.

LambdaTest is committed to information security, protection of personal information, and privacy with applicable laws, regulations, and standards. Information Security & Compliance Steering Committee (ISCSC) members are responsible for defining and improving the Integrated Management System (IMS). The top management has demonstrated leadership and commitment to the Integrated Management System (IMS) by:

i. Ensuring the information security and personal data protection policy and its objectives are established and are compatible with the strategic direction of LambdaTest.

ii. Ensuring the integration of ISMS, PIMS, SOC 2, CSA, and other standards requirements into LambdaTest’s processes.

iii. Ensuring that the resources needed are available

iv. Communicating the importance of an effective integrated management system and of conforming to integrated management system requirements

v. Ensuring that the IMS achieves its intended outcome(s)

vi. Directing and supporting persons to contribute to the effectiveness of IMS

vii. Promoting continual improvement

viii. Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility

5. Policy...

LambdaTest is committed to:

i. Ensure Confidentiality, Integrity, Privacy, and Availability by adequately protecting the information and information systems against unauthorized access, modification, or alteration.

ii. Establish and implement security policies and processes while considering the protection of information and information systems from internal and external threats.

iiii. Comply with legal, regulatory, and contractual security & privacy obligations as may be applicable.

iv. Ensure security and privacy awareness and competency amongst associates to enable them to meet their security & privacy obligations.

v. Provide a framework to manage and handle security incidents, privacy breaches, violations, and business disruptions.

vi. Ensure continuous improvement of the security & privacy posture to consistently meet its objectives.

LambdaTest shall adopt leading industry security & privacy standards and practices to design and develop robust information security & privacy management framework to support this policy statement. To this effect, the policy shall be supported by domain-level security & privacy policies, procedures, guidelines, and standards, which shall be communicated and made available to relevant stakeholders.

5.1. Security and Privacy Governance Structure...

At LambdaTest, the executive leadership (Top Management) members are a part of the internal Information Security & Compliance Steering Committee (ISCSC), which ensures that all LambdaTest commitments to Customers and stakeholders are upheld. The ISSC considers ensuring the security & privacy of Customer information and applying the right processing methods of any personal information in line with privacy regulations should be a way of working at LambdaTest.

While information security and privacy are an organization-wide responsibility, the ISCSC has established dedicated information security and privacy team as independent custodians of the vision. Both team directly reports to ISCSC and independently manages the governance aspects of information security and privacy. The Information Security team is headed by the Information Security Officer (ISO) and the Privacy team is headed by Data Protection Officer (DPO) both directly report to the ISCSC. This committee is headed by the Chief Executive Officer (CEO).

The ISCSC is committed to constantly aligning its information security & privacy posture to ensure data security and assure non-repudiation for Customers' data, ensure secure and stable products that provide consistent output, ensure delivery of products and services that are highly resilient to internal and external threats and interruptions, ensure that its people are oriented to the principles of security & privacy by design as it applies to them in their respective job roles, and business processes are designed and implemented based on risk and control considerations.

On a half-yearly basis, the ISCSC reviews Information Security and Privacy in a structured manner. Following are the broad objectives of such reviews:

i. Road map: Ensure that the information security and privacy road map is well thought through after factoring in all Customer, regulatory and contractual requirements and is in sync with the internal and external threat vectors.

ii. Initiatives: Take stock of the various information security and privacy initiatives or programs and provide recommendations.

iii. Expertise: Ensure that adequate expertise is available for all information security and privacy initiatives. The ISCSC provides necessary technical inputs and ensures that LambdaTest leverages adequate expert opinions from various industry sources.

iv. Resources: Ensure that adequate people and financial resources are made available to various initiatives for effective execution.

LambdaTest has a dedicated Information Security Officer, and Data Protection Officer, an independent team that runs information security and privacy functions. LambdaTest Information Security Office has the following teams:

  • Security Product & Engineering (App Sec): Responsible for ensuring that information security requirements are adhered to in the platform application architecture, and technology landscape. This team ensures that all the technology components are hardened, access controlled, and monitored and ensures that all internal and external threat vectors are structurally mitigated and managed.
  • Security Operation Center: Responsible for performing proactive monitoring of information security events and alerts and providing situational awareness through the detection, containment, and remediation of any suspected or actual security incidents. The team ensures that tactical rules and data sensors are configured to provide suitable early warnings and alerts. The team works on a 24/7 basis to identify, analyze, communicate, investigate and report on critical information security events.
  • LambdaTest Data Protection & Risk Office has the following teams:

  • Governance, Risk and Compliance (GRC): Responsible for Risk Management ensuring the appropriate design of controls, effective implementation, and consistent operation of controls, perform and coordinate for internal and external audits, and manage information security incidents. The team ensures compliance with various information security & privacy frameworks and works towards continuous control maturity.
  • Also, GRC is responsible for the coordination of the development and maintenance of corporate policies and standards that impact information security at LambdaTest. The policies and standards are reviewed by relevant stakeholders and approved by document owners at least annually. The policies and standards are made available to all LambdaTest employees on a centralized document repository.

  • GRC Team: Responsible for providing a single-window channel to communicate with Customers regarding the information security & privacy posture at LambdaTest. The team would also provide feedback regarding trends that they see about the market’s expectations or requirements from an information security and privacy compliance perspective.

5.2. Human Resources Security and Privacy...

At LambdaTest, we pride ourselves on building a powerful Cloud Testing Platform application that’s secure, reliable, easy to use and high-performance. We believe that customers and employees are the foundation of a successful business.

Recruitment

We are constantly on the lookout for smart people who are passionate about building great products, designing great experiences, building scalable platforms, and making customers happy.

All intents for the recruitments are raised to the HR department along with a description of the job, roles & responsibilities. The intents are approved by the respective department or pod heads based on their function’s specific recruitment plan. The HR and respective POD managers are responsible for conducting interviews. Depending upon the seniority of the role, the HR team sets up interviews with appropriate stakeholders. Candidates are selected based on validation of both culture and skill set fitment.

Background Verification

All employees joining LambdaTest undergo a mandatory background verification check that is initiated once their employment offer is rolled out. LambdaTest engages empaneled third-party service providers to perform background verifications covering identity, whereabouts, education history, employment history, and criminal history. Risks, if any, identified from background verification checks are analyzed and are approved or rejected by the respective function HR in association with the respective business manager.

On-boarding

All new joiners are batched and they join on Mondays. They undergo a 2-3 days onboarding schedule. During the onboarding process, employees are provided with an overview of the values lived at LambdaTest, the vision and key objectives, the organization structure and key stakeholders, and various processes that all employees are required to follow. As a part of the employee on-boarding process, all new joinees are provided with awareness training on information security, data privacy requirements, adherence to Code of Conduct and applicable compliances, and practices followed at LambdaTest. This includes appraising and training the employee on their responsibilities with regard to information security, privacy and compliance requirements.

Confidentiality Undertaking

All new joinees sign a confidentiality agreement as part of their employment agreement while being on-boarded as an employee. The agreement specifies their obligations and responsibilities as an employee while handling confidential information that the employee has access to during the course of their employment.

Code of Conduct

The Code of Business Conduct and Ethics (this Code) flows directly from the commitment of LambdaTest Inc., a Delaware corporation (together with its subsidiaries, “LambdaTest”, “we”, “our”), to our mission and core values. We consistently aim for excellence and to provide value for our customers, partners, and stockholders, and it is critical that we do so with integrity and high ethical standards. It is unacceptable to cut legal or ethical corners for the benefits of LambdaTest or for personal benefits. The purpose of this Code is to promote ethical conduct, serve as a guide, and to deter both wrongdoing and the appearance of wrongdoing. Doing the right things is more important than winning while risking our reputation or the trust of our customers, partners, and stakeholders.

The Code is designed to ensure:

  • We operate our business ethically and with integrity
  • The avoidance of actual or apparent conflicts of interest
  • Compliances with the letter and spirit of all laws and policies of LambdaTest, including accurate and clear language in our reports, advertising and public communications
  • The prompt internal reporting of suspected violations of this Code

The Code of Conduct (“Code”) applies to all employees, officers, directors and independent contractors of LambdaTest Inc., and all its subsidiaries. Every employee will be required to confirm their acceptance and understanding of this Code in our annual review cycle. All employees are required to abide by this Code, which comprises the following policies:

  • Promoting Diversity and Respect
  • Conflict of Interest
  • Anti-Bribery, Antitrust, and Anti-Corruption
  • Insider Trading
  • Fair Dealing
  • Gifts and Entertainment
  • Acceptable use of Company Assets
  • No Retaliation
  • Privacy and Confidentiality
  • Health and Safety
  • Equal Employment Opportunity
  • Prevention of Harassment at Workplace
  • Policy on Media (including Social Media)
  • Policy on Intellectual Property Rights

Disciplinary Process

As part of the onboarding process, employee are appraised about the internal policies and process as it applies to them. Employees are also informed about the complaint reporting mechanism and the disciplinary process that may ensure. Any violation of the policies is reported as incident and isinvestigated by the HR team. Any violation, if proved results in a warning, payment of compensation, withdrawal of promotion, suspension, or termination of employment, based on the nature of the violation.

Transfers and Movements

When associates are transferred internally, the HR Manager finalizes the last day of service along with the reporting manager which is then communicated to the new respective manager as well. Accordingly, a request is raised for aligning the access needs in line with the new job role.

Employee Exits

All resignation notices will be submitted to the reporting manager and HR. The reporting manager shall, with the consent of HR, recommend and confirm the date of relieving. The exit process will be initiated and the exit form needs to be signed off by the respective associate’s reporting manager, Cloud Infrastructure team, Administration, IT, and HR team will ensure that the accesses granted to the employee are revoked.

5.3. Security Awareness and Training...

LambdaTest’s employees are security and privacy-minded through its continuous educational activities and practical exercises about evolving threats, compliance obligations, and secure workplace practices.

  • i. Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance.
  • ii. All employees complete annual information security, privacy, and compliance awareness and training program.
  • iii. As part of this program, additional role-based training is provided to employees before they start handling restricted and confidential information.
  • iv. Information security and privacy compliance training guide is provided as a quick reference to all employees.
  • v. Training logs identifying the training class, attendee, and date are kept by the HR department.

5.4. Asset Management...

LambdaTest has established a formal Asset Management Policy; and the process is necessary to facilitate effective management, control, and maintenance of the assets/information in its operations environment by classifying assets as per the functionality or criticality.

  • i. This policy is to identify, classify, label, and handle Information Assets of LambdaTest, and to apply protection mechanisms commensurate with the level of confidentiality and sensitivity.
  • ii. The confidentiality and sensitivity of the information will be maintained through an Information Asset classification scheme. The level of security to be accorded to the information of LambdaTest depends directly on the classification level of the asset, which is associated with that information.
  • iii. The Information Asset Inventory must contain the following information as a minimum:
    • Information Asset Identification
    • Information Asset Description
    • Information Asset Location
    • Information Asset Owner/Custodian
    • Information Asset Classification

Acceptable Usage of Assets

Employees are educated on being responsible and exercising good judgment regarding the reasonableness of personal use. For security and network maintenance purposes, authorized individuals within LambdaTest, monitor equipments, systems, and network traffic. We reserve the right to suspend or disable employee network accounts for an actual or suspected security breach or policy violation. Any IT resource assigned to an employee is not transferred to another employee or group without first following a procedure of intimating IT so that the transfer is recorded. The transfer should be made post a sign-off from IT. In the event of loss of an asset post an un-intimated transfer for any purpose, the employees are held liable and appropriate fines are levied.

Information at LambdaTest

LambdaTest information may include, but is not limited to:

  • All computer equipment, software, operating systems, storage media, network accounts, electronic mail, etc… (“IT resources”), are the property of LambdaTest. These systems are to be used for business purposes in serving the interests of the company, and of our customers in the course of normal operations
  • All proprietary information that belongs to LambdaTest, such as user manuals, training materials, operating and support procedures, business continuity plans, and audit trails.
  • Personnel information relating to employees of LambdaTest.
  • All customer information & product research-related data held by LambdaTest.
  • All software assets such as application software, system software, development tools, and utilities.
  • All physical assets, such as computer equipment, communications equipment, removable media, and equipment relating to facilities.
  • All services, such as power, lighting, and HVAC associated with LambdaTest information systems.
  • People assets.
  • Intangibles assets such as the reputation and image of LambdaTest.

LambdaTest maintains an inventory of all virtual devices (including servers and networking components), and physical devices. All the devices are labeled and tracked in an asset register with information about the asset owner, asset custodian, and asset location. The asset register is kept current and is updated whenever the assets are moved or retired or serviced.

5.5. Information Classification & Handling...

LambdaTest has developed and implemented a formal procedure for the information classification and handling standard consisting of distinct levels which must be followed by all LambdaTest employees. The protection level and requirements for data processing are defined for each classification category. LambdaTest classification model into four levels of categories:

  • Restricted
  • Confidential
  • Internal
  • Public

The classification levels of all information or data is identified, both on the data and in the asset inventory. Accessibility will enable LambdaTest to focus information or data protection mechanisms on those assets that are most susceptible to specific risks. Information Assets may be assigned security based on their susceptibility to risk.

Accessibility

Descriptive meaning

Restricted

Restricted Information

Restricted information is the most sensitive form of information. It is so sensitive that disclosure or usage would have a definite impact on LambdaTest’s business.

Extremely restrictive controls need to be applied (e.g., very limited audience and those who are authorized to have such a form of information).

Examples include employee personal information, Personal identity information (PII), Financial Account Data (on individuals), strategic plans, investment decisions, etc.

Confidential

Confidential Information

Confidential information is distributed on a “Need to Know” basis only. It is so confidential that disclosure or usage would have a definite impact on LambdaTest’s business.

Examples include System Security Parameters and Risk Assessment or Audit records, Intellectual Property, Customer Data, business plans, unpublished financial statements, Firewall and Router Configurations, Service Contracts, etc.

Internal

Internal Information (All employees within LambdaTest)

This class of information is either generated by LambdaTest or is owned by LambdaTest. This information should not be shared externally or with third parties. There can be exceptions in certain cases, where information has access rights to certain specific people. This form of information must be used within LambdaTest and not shared externally or with third parties.

Examples include staff memos, company newsletters, staff awareness program documentation or bulletins, email, Backup media, SOP, etc.

Public

Public Information

This class of information does not have any impact on the confidentiality of the Information Asset. This caters to the form of information that has either come from a public source or is provided by the company/company’s client to the general public.

Examples include periodicals, advertisements, public bulletins, published company financial statements, published press releases, etc.

5.6. Identification and Authentication...

LambdaTest has implemented Identity and Access Management (IAM) capability to ensure the concept of “least privilege”, “need-to-know”, and “need-to-have or need-to-do-principles” provision for access rights. As a part of the user lifecycle management, defined processes for adding, changing, and removing users and their access rights are applied across all information systems, applications, and services.

IAM is paramount to protecting LambdaTest information resources and requires the implementation of controls and continuous oversight to restrict access. Regular reviews of access rights are conducted.

Product Access

By default, LambdaTest adopted the least access privileges and role-based access principle provision in its all information system. Few employees of LambdaTest from Customer Success and Solution engineering have access to Customer accounts as they need this access for any configuration or troubleshooting. These privilegeaccesses are reviewed on a regular basis.

LambdaTest provides a role-based administration for all user accounts. There are 3 roles: admin, user, and guest, each with different permissions. The administrators of the account can control the user’s permission and activity.

Sub-Processor Access

LambdaTest partners with organizations like itself to adhere to global standards and regulations. These organizations include sub-processors or third-parties that LambdaTest utilizes to assist in providing its products and services.

This means, like LambdaTest, by default no sub-processors have access to any Test execution data of Customer. Incidents and support tickets are handled by LambdaTest.

Further, on a case-to-case basis, if an incident/support requirement arises that only the sub-processors can handle, access is provided by the Customer’s admin through the product as a temporary user and immediately revoked once the issue has been resolved.

Internal Systems Access

Access to LambdaTest internal systems are based on the principles of least privilege for access. Accordingly, all information system and data are classified and further segregated to support role-based access requirements. Furthermore, while defining job roles and designing access roles, privileges leading to conflicts of interests are to be avoided. Strong identification, authentication, and logging systems are deployed and provide a centralized control to administer, monitor and review all critical access events.

Access Control Environments

At LambdaTest, different environments are established from a product standpoint. The product has different environments for development, testing and production purposes. Each of these environments is shielded and controlled from interactions with the other environments. Developers do not have access to the production environment (including no access to migrate changes). Access to migration changes is limited to only designated and authorized individuals.

Authorization Process

All access requests are logged, tracked, and managed through Jira (Atlassian suite). All-access requests are approved by the reporting manager and product owner. Also, the requests are approved by the respective department head or their delegated set of approval. Once approved, the request is routed to the respective system administrators for provisioning the access. Logs of all access requests raised, approval obtained and provisioning made in the systems are maintained to establish an end-to-end audit trail.

Access to all environments (development, test, and production) and resources within it are centrally managed using IAM system. The user IDs follow our internal guidelines for naming convention and are managed such that it is identifiable to a user. We have implemented strong password parameters that apply to all the systems. All accesses are permitted only from registered user systems and only from the whitelisted IP addresses of LambdaTest. All the access is routed through the bastion host, where the IAM solution enforces role-based access and two-factor authentication. System access logs for access to Customer data are maintained and subject to review by NOC and SOC team that operates on a 24x7 basis.

Remote Access

Accordingly, access to the LambdaTest production environment is limited to authorized users from the development or testing teams. All access to the LambdaTest production environment is allowed only from within the LambdaTest corporate network that’s behind VPN. For handling business continuity, disaster recovery, and pandemic scenarios, administrative and management users (Cloud Infrastructure, Database administrators, On-call Support, 24x7 Monitoring teams) have been provided with VPN access to connect to the office network. All the access is protected via Single Sign On (SSO) or Two-factor authentication and all accesses will be logged.

Access Reviews

On a quarterly basis, the ownership of all user accounts in the production environment is reviewed by the product owner. For sensitive and critical accounts, the review is performed on monthly basis. The information security team tracks the process of user access reviews and reports the findings to the ISCSC.

Password Management

The complexity and length of passwords are set according to best practices and adapted if necessary. With processes designed to enforce minimum password requirements for LambdaTest products, we utilize the following requirements and security standards for user passwords on the LambdaTest Service:

  • Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols.
  • Multiple logins with the wrong username or password will result in a locked account, which will be disabled to help prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application
  • Email-based password reset links are sent only to a user's pre-registered email address with a temporary link
  • LambdaTest rate limits multiple login attempts from the same email address
  • LambdaTest prevents reuse of recently used passwords
  • Password hashing: User account passwords stored on LambdaTest Service are bcrypt hashing with a random salt using industry-standard techniques.

Single sign-on

LambdaTest lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to the LambdaTest platform using their existing corporate credentials. SSO is available on select packages only, so please consult your order form for eligibility.

5.7. Cryptographic Protections...

LambdaTest has developed and implemented a formal process for the cryptographic protection standard to protect the confidentiality, authenticity, and integrity of the information that is transferred through a third-party network.

i. Cryptographic controls can be used to achieve different security objectives, e.g:

a. Confidentiality: Using encryption of information to protect restricted or critical information, either stored or transmitted.

b. Integrity/Authenticity: Using digital signatures or message authentication codes to protect the authenticity and integrity of stored or transmitted sensitive or critical information.

c. Non-Repudiation: Using cryptographic techniques to obtain proof of the occurrence or nonoccurrence of an event or action.

ii. Cryptographic controls shall be used in compliance with all relevant agreements, laws, and regulations.

5.8. Physical & Environmental Security...

The following section provides an overview of the physical and environmental security safeguards at LambdaTest Product Development center in India and the data center where LambdaTest products and data are hosted.

Perimeter Security at LambdaTest office

LambdaTest operates out of a multi-tenant building where perimeter security is centrally provided by the Building Management System team. The building is continuously patrolled by security guards on a 24x7 basis. The guards only allow employees with a valid ID card inside the building.

Access to the LambdaTest office is restricted only to LambdaTest’s employees and authorized support staff. CCTVs are installed across all vantage points within the office including all the entry and exit points. The administration and facilities team is responsible for monitoring the CCTV footage and these are retained for a minimum of 90 days.

24x7 dedicated security guards are deployed at entry and exit points. All the entry points are further secured using a proximity-based access card system. Access reviews are carried out by the LambdaTest Administration team on a regular basis to ensure only authorized LambdaTest employees or support staff have access.

Visitor Management at LambdaTest office

All visitors are registered at the entrance at LambdaTest with details of host and purpose of visit. The visitors are provided an ID tag and are always escorted by a host while inside the premises.

Material Movement at LambdaTest office

LambdaTest has procedures established for equipment’s citing and identifications. At the entrance, the security personnel tracks the movement of equipment and verifies relevant authorizations for bringing in or removing any classified materials. The IT team ensures that all equipment movements are approved and sent to authorized recipients. Dedicated loading and unlocking areas have been identified for the movement and disposal of electronic media and equipment. Such movements are authorized by the IT Manager and tracked by the Facilities Administration team.

Environmental Safeguards at LambdaTest office

The office workspace has multiple controlled entry and exit points with visible markings and floor maps displayed that assist in speedy evacuation from anywhere in the office. Smoke detectors are installed throughout the facility and are supported by sprinkler-based fire suppression systems that run throughout the facility. Further, appropriate types of fire extinguishers are placed at various locations in the facility with clear markings. The facility is covered with a public address system that helps to provide any flash announcements in case of any emergency.

A centrally managed Heating, Ventilation, and Air-Conditioning system (HVAC) has been installed and managed by the facilities administration team. The power supply received for the facility is integrated with an Uninterrupted Power Supply (UPS) and Diesel-based power generator. In case of any power interruptions, automatic and uninterrupted switch-over will happen to ensure that there is no impact on the facility and its systems or equipment. All power cables and network cables are secured and shielded from interferences and are identified for supporting maintenance and troubleshooting work.

All the equipment and systems providing environment safeguards are covered under warranties and annual maintenance contracts and accordingly, these are covered under regular preventive maintenance checks to ensure its proper functionating.

Physical and Perimeter Security at Data Center

LambdaTest hosts its products and associated data in AWS and Microsoft Azure data centers that provide cutting-edge security and resilience and are compliant with a plethora of information security standards and frameworks. The data centers are hosted in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, motion detectors, intrusion alarm systems, and other electronic means. Authorized staff must pass through two-factor authentication a minimum of two times to access data center floors.

Environmental Safeguards at Data Center

All critical IT equipment is hosted in AWS and Microsoft Azure data centers. Automatic fire detection and suppression equipment have been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments including the mechanical and electrical infrastructure spaces, chiller rooms, and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems as suitable based on the types of combustible materials in the respective zones.

Submersible pumps are installed and maintained as a safeguard against a flood event. The data centers get power from two different feeder channels and are additionally supported by the power generators and UPS all having automated switch over in case of any rare instances of power outages. The data center’s electrical power systems are designed to be fully redundant and maintainable without impact on operations, 24 hours a day, seven days a week. UPS units provide backup-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.

Climate controls are required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

5.9. Security Operations...

LambdaTest maintains a formal information security management program with dedicated security personnel reporting to LambdaTest's Head of Security. LambdaTest has established a formal policy and process for the requirements and key information security considerations for information technology operations, including the definition of standard operating procedures, change management, configuration management, release management, information backup, and restoration and cloud computing.

There are a number of security controls in place to achieve the protection of data, information, information system, and monitoring LambdaTest for suspicious activity.

  • Documented operating procedures: Document procedures have been formally laid down for operational activities associated with information processing and communication facilities and maintained to ensure the correct and secure management of information processing facilities.
  • Malware and spam protection: Anti-malware systems and services are in use to detect, prevent and report malicious software and activity. All in-scope systems are configured with malicious code protection and detection software, systems are kept up-to-date and definitions are updated regularly.
  • Logging and Monitoring: We monitor and analyze information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access, to manage access control centrally and ensure availability.
  • Backup: All data hosted on the cloud is synced in real-time (with cross-regional network latency) across the AZs or to a separate AWS and Azure region other than the one which hosts Customer serving infrastructure. Each AWS AZ / Azure AZ or region is designed to be completely isolated from the AWS /Azure regions & hence helps achieve the greatest possible fault tolerance and stability. Data sync happens in active-active model and is equipped to independently handle the load in case of any failures.
  • Technical Vulnerability Management: LambdaTest has a standard for vulnerability management that is CVSS based on severity (critical, high, medium, and low) as reported by our scanning vendor(s). Remediation timeframes are determined through a combination of CVSS level, impact analysis of remediation options on our customers and business, and contractual SLAs.
  • Control of operational software: Applications and operating system software should only be implemented after successful testing, the tests should cover usability, security, effects on other systems and user-friendliness and shall be carried out on separate systems. And, operational systems shall only hold approved executable code and not development code or compilers.
  • Information system audit: The required guidelines are already defined internally and must be followed by all LambdaTest employees.

5.10. Change Management...

LambdaTest management believes in establishing a cross-functional working model based on the size, nature of activities and emerging business realities for product development, support and maintenance. LambdaTest use the Scrum model from the agile framework in combination with the Continuous Integration and Continuous Deployment (CI/CD) approach to ensure faster delivery of functionalities to its Customers. Members from various teams form the “Squad” to work on the core functionality or features of the product and the underlying infrastructure. Secure Coding standards and guidelines have been published to the Squad and Development teams by the Application Security team.

Change Squad Composition

A Squad consist of the following members:

  • Product Manager
  • Squad Lead
  • Tribe members
  • Tribe leads

Code Version Management

To get the “CI” working of the CI/CD cycle, continuous integration is paramount to faster development cycles. Every block of code is unit tested before it is checked-in on the code repository using a source control tool. Any changes to the uncompiled source code is tracked for its code integrity and most updated library is maintained for the subsequent sprints. Once the code is approved by the Quality Assurance team, the code is committed for promotion to the staging and production environments.

All product inputs are accumulated including enhancements, bugs and fixes in a central repository owned by Product owners. SLAs are defined for fixing the issues and priorities are assigned. Once they prioritize what gets into each sprint based on our priority criteria. All security fixes are considered as high priority and bundled into the earliest possible sprint. Our DevOps sprints are powered by a Squad of members that includes the Product owner, Squad Lead, Tribe Lead, and Tribe Members.

Change Verification and Approval

Following the principles of Security by Design, at LambdaTest, product security is a part of the blueprint and design consideration in every build cycle. Accordingly, the Application Security and Cloud security team is a part of the build cycles. Multiple security checks including code reviews, web vulnerability reviews, and advanced security tests are performed in every build. Source code analysis is performed using adopted tools. Vulnerabilities are identified, fixed and revalidated before the code is promoted to production. That apart, the builds are put through stringent functionality tests, performance tests, stability tests, and UX tests before the build is certified as “Good to go”. Static code analysis is carried out during unit test, before compiling it in a runtime environment. The “Good to go” flag serves as a gating mechanism for code promotion to the production environment.

Change Deployment

To reduce a possible downtime, code promotions take place using the Blue-Green Deployment model, which reduces the risk by running two identical production environments called Blue and Green. At any time, only one of the environments is live, with the live environment serving all production traffic. During a product update, deployment and the final stage of testing take place in the environment that is not live (Green). Once the deployment and acceptance criterions are fully tested the updated build in Green is switched to Blue. While the Green goes live, Blue is pushed to an idle state. In addition, if something unexpected happens with the new version of Green, we can immediately roll back to the last version by switching back to Blue.

5.11. Capacity & Performance Planning...

The capacity management process is established to ensure there is continuous harmony between Business capacity management (strategic and forecasting) and service capacity management (tactical).

The capacity management process carried out by Cloud Infra is to make sure the application is available 24x7 round the year, except during the planned downtime.

The capacity management process applies to the following:

  • Products offered by LambdaTest
  • Network components
  • Server components
  • Applications
  • Services (system processes)
  • Other critical information systems as identified by the LambdaTest team based on Risk Assessment.

We maintain at least a maximum of 20% headroom for unexpected traffic. Following are the trypical parameters that are used for managing capacity:

  • CPU and Memory load
  • IO load and job queue length
  • Concurrent connection (RPM- Requests per minute)
  • Error rate in the system
  • App specific parameters

The capacity management has two approaches:

  • i. Proactive Approach: This is primarily accomplished by having a regular stream of communication between the Customer facing teams and the operations teams. Based on the projections made for new customers, the operations team would be able to arrive at various capacity requirement specifications and would go about following their standard operating procedures (SOP) for provisioning the additional capacity to the fleet. All business-critical components are also provisioned with autoscaling [Auto Scaling the capacity once the headroom is breached]
  • ii. Relative Approach: The Production environment is monitored 24x7 by a NOC team. The NOC teams use a multitude of tools to monitor the production environment. When any of the parameters crosses the threshold then the NOC team has a SOP that they will use to commission additional capacity. The alerting system displays the exact cluster of the machines that are either underperforming or have a failure. The NOC team makes use of this information to use a SOP to mitigate the situation.

5.12. Communications Security...

LambdaTest has ensured sufficient security and privacy controls are architected to protect the confidentiality, integrity, availability, and safety of the organization’s network infrastructure that enforces the concept of “least functionality” through restricting network access to system, applications, and services, as well as to provide situational awareness of activity on the organization’s networks.

LambdaTest has deployed an information technology network to facilitate its business and make it more efficient for various risks. It has established management direction, principles, and standard requirements to ensure that the appropriate protection of information on its networks is maintained and sustained. Few controls which are in place to achieve the protection of exchanged information from interception, copying, modification, misrouting, and destruction are as follows:

  • Network Controls: LambdaTest monitors and updates its communication technologies periodically to provide network security as per industry-best practices. Cryptographic techniques are used to protect the confidentiality, integrity, and authenticity of sensitive and confidential information. Firewall rules and access restrictions are reviewed regularly.
  • Infrastructure Controls: LambdaTest uses an Intrusion Detection System (IDS), a Security Incident Event Management (SIEM) system and other security monitoring tools on the production servers hosting the LambdaTest product service. Notifications from these tools are sent to the Security Team so that they can take appropriate action.
  • Secure Communication: All data transmissions to LambdaTest services are encrypted using TLS protocols, and we use certificates issued by SHA 256 based CA ensuring that our users have a secure connection from their browsers to use our service. We use the latest and updated cipher suites.
  • LambdaTest Product is always connected to the web-app via HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol that is designed to protect against eavesdropping, tampering, and message forgery.
  • Retention and disposal guidelines for all business correspondence including messages, under the defined standard.
  • Segregation of the network shall be done by establishing V-LAN/ DMZ architecture. In either case, Testing, Production and Development environment shall be segregated as well.
  • Agreements have been established for the secure transfer of business information to external parties (such as customers, suppliers, and other interested parties).
  • The roles and responsibilities for management of network security shall be clearly defined, communicated and reviewed regularly to ensure optimum operative effectiveness and necessary segregation of duties shall be done to attain the said objective.

5.13. System Acquisition, Development, and Maintenance...

LambdaTest’s Software Development Lifecycle (SDLC) standard has been established and adopted for planning, requirement analysis, design, development, testing, and maintenance of the product platform. SDLC process was designed from the ground up and integrated into multiple stages of the development lifecycle to help keep Customer information safe and secure.

LambdaTest ensures that security and privacy principles are implemented into each of the products /platforms that are either developed internally or acquired to make sure that the concepts of “least privilege” and “least functionality” are incorporated and the development process for any acquired or developed system, application or service ensures secure engineering principles.

There are controls which are in place to achieve the information security and data protection requirements:

i. LambdaTest product security practices are measured using industry standard and methodologies. LambdaTest follows an Agile and DevOps SDLC model with focus on process adaptability, Customer satisfaction, and Quality delivery.

ii. The products are broken into small incremental builds, provided in iteration. Every iteration involves cross-functional teams /PODs working simultaneously on various areas like planning, requirements analysis, design, coding, unit test and acceptance testing.

iii. LambdaTest product Services includes many activities to enhance security and privacy posture:

  • Defining security and privacy requirements
  • Design (threat modeling and analysis, security design review)
  • Development controls (static analysis, manual peer code review)
  • Testing (dynamic analysis, 3rd party security vulnerability assessments and Pen Test)

iv. It comprises of rigorous set of comprehensive industry best practices and framework spanning software development practices, processes and tools per ISO 27001, ISO 27034 guidance and applicable OWASP and CIS standards.

5.13.1. Platform Security...

Network Infrastructure Overview

LambdaTest network architecture is designed using a multi-tired security framework with each tier complementing the other to provide a fault-tolerant architecture. All the services and data are hosted in Virtual Private Cloud (VPC) and are mirrored across multiple availability zones.

The application makes use of the core infrastructure elements from AWS and Microsoft Azure:

  • Load Balancer for network load balancing service
  • Elastic Compute Cloud Component (EC2)/ Virtual Machines as virtual servers.
  • Relational Database System / Azure SQL as database
  • Transform and Load capabilities
  • Key Management System (KMS) for component encryption key management
  • VPC / Vnet for dedicated network within the cloud space
  • S3 buckets / Storage Blobs for storage service
  • SQS for message queuing and batch processing service
  • Cache layer is hosted using CDN and Cloudflare
  • Geo-proximity using route 53 and Cloudflare

The Load Balancer is where all the external connections are terminated. The Load Balancer and Cloudflare WAF provide DDoS protection from the external network. The Load Balancer transfers the incoming connection to the private subnets that contain the application stack.

The platform integrates with a set of external technology components as well and these are specifically called out as sub-processors. In addition, we provide the ability to integrity with a few third-party apps or API-based integrations with custom apps that are within our Customer’s environment.

Networking Security Overview

The network has been decoupled and has multiple firewall rules that reduce the surface of attacks in case of any breach. We have configured our firewall in deny-all mode, which allows only explicit traffic that meets the specific criteria set in our firewall security groups. Further, we have configured advance routing rules and criteria across the network security groups to secure our network and services from advanced web application exploits that could compromise the application security, or availability or consume more network resources.

All inbound HTTPS calls hit the reverse proxy that acts as the first level of application load balancer. The high availability zones are made resilient with Load balancers. Cross network access is disallowed due to security reasons.

Using a combination of Load Balancer, network firewall, and highly scalable DNS services we have implemented strong DDoS mitigation capabilities. Cloudflare WAF (web application firewall) has been deployed to block Layer 7 and layer 4 attacks and also to protect against Distributed Denial of Service (DDoS) protection service along with rate limiting.

The VPC’s / Vnet features and associated capabilities are:

  • Security groups act as a firewall, controlling both inbound and outbound traffic at the instance level.
  • Network Access Control Lists (ACLs) act as a firewall for associated subnets, controlling both inbound and outbound traffic for each subnet (private network) within VPC.
  • Administrative access is secured using SSH connection between Bastion host and individual platform components.

Muti-Tenancy

Each application is serviced from an individual virtual private cloud and each customer is uniquely identified by a tenant ID. The application is engineered and verified to ensure that it always fetches data only for the logged-in-tenant. Per this design, no customer has access to another Customer’s data.

Encryption and Tokenization

Data at rest is encrypted using AES-256 bit standards with keys being managed by key management services.

All data in transit is encrypted using HTTPs with TLS 1.2 and above over a secure socket connection for accounts hosted in the LambdaTest domain (LambdaTest.com). For accounts hosted on independent domains, an option to enable a secure socket connection is available.

We use (DigiCert) certificates for domain management and ISRG Root X1 (chain of trust Let’s Encrypt) is the certificate authority. We are using email-based verification to obtain certificates. These certificates are managed via AWS ACM and Digicert panel. The certificates are set to renew every 365 days. Only dedicated members of the cloud infrastructure team will will view and download the certificate details.

All passwords at storage are one-way hashed and salted using bcrypt.

All third-party API calls are authorized using OAuth 2.0, and the access tokens are secure in an encrypted database.

Code Security

Secure codeing guidliness based on OWASP Secure Coding Guidliness are shared with the engineering teas. These guidliness shall include but not limited to Input Validation, Output Encoding, Session Management, Error handling, and Logging. Developers also trained on the secure coding guidlinessby the Security Engineering team at least on annual basis.

Static code analysis is performed for new code that is developed.For every code commit, automated static code analysis (SAST and SCA) is performed using SNYK and GitHub SCA for quality and security issues. All the Code is also scanned via trufflehog security for the hardcoded secrets and credentials.

Bugs Reporting

LambdaTest takes the security of its systems seriously and values the security community. The responsible disclosure of security and privacy vulnerabilities helps LambdaTest in ensuring the security and privacy of its users. Bugs can be reported through email at security@lambdatest.com

Application Security

We take steps to securely develop and test against threats to ensure the safety of our customer data. LambdaTest maintains a Secure Development Lifecycle, in which training our developers and performing design and code reviews take a prime role. In addition, LambdaTest employs third-party security experts to perform detailed penetration tests on different applications within our family of product platforms.

5.14. Third-Party Management...

LambdaTest partners with organizations that like itself adhere to global standards and regulations. These organizations include sub-processors or third parties that LambdaTest utilizes to assist in providing its products. The list of sub-processors along with their roles in processing and their processing location are disclosed in the following link: https://www.lambdatest.com/legal/sub-processor

Third Party Onboarding

Based on the nature of data involved, vendors are classified into 5 categories:

  • Category 1 – Handles Customer Data (store, process, transmit. (eg – Microsoft Azure, AWS)
  • Category 2 – LambdaTest internal critical production tools (eg – SIEM, CRM)
  • Category 3 – LambdaTest internal business tools or applications (eg – Slack, Google Suite)
  • Category 4 – LambdaTest internal business tools involving employee PII (eg – HRMS)
  • Category 5 – LambdaTest internal business tools not involving PII (eg – anonymous feedback)

All vendors will have to fill up a questionnaire and undergo information security and privacy compliance review. External audit reports and compliance certificates are mandated for Category 1. For all Category 1 applications, LambdaTest will provide 15 days advance notice to existing Customer prior to introducing the vendor in the production environment. Sign-off from Legal team and MSA/DPA and /or BAA as applicable will be executed with the application /vendor as part of the contracting process.

For all others, while the audit reports are requested, however in the absence of it, internal audit reports and policy procedures are reviewed and audited for deciding the security and compliance clearance. This is handled by the LambdaTest vendor management team.

Third-Party Risk Management

Regular assessments are conducted on such service providers to ensure data is processed in a fair manner, and that data is process only for the purposes it was collected. Apart from evaluation for technical requirements, an examination for data protection measures, compliance with LambdaTest’s security and privacy requirements and audits reports review is conducted before on-boarding the service provider. Various checks on the service provider’s vulnerability, patch management processes for intrusion protection capabilities are reviewed. Copies of the access management process, third-party vulnerability testing reports, SOC 2 reports, ISO 27001 /27701 reports, PCI DSS AOC etc. are shared by the service partner and reviewed by LambdaTest.

Data Governance

Requirements regarding breach notifications and reporting obligations flowed down to LambdaTest sub-processors through the Data Processing Addendum executed with such sub-processors. All the contracts are reviewed by the Legal team (and by GRC team re: breach notification and reporting obligations, rights to audit, support for subject access requests and other security and privacy safeguards) prior to execution and the GRC team reviews the service providers on a periodic basis as per its Risk Management Process.

5.15. Incident Response...

LambdaTest has defined the security incident management process to classify and handle incidents and security breaches. The information security team is responsible for recording, reporting, tracking, responding, resolving, monitoring, reporting, and communicating about the incidents to appropriate parties in a timely manner. The process is reviewed as part of periodic internal audit and is audited as part of ISO 27001 and SOC 2 Type II assessment.

You may contact our 24x7 hotline at security@lambdatest.com to report complaints/breaches.

Breach Notification

LambdaTest has processes established for early identification and reporting of incidents/breaches. Accordingly, as data controllers, we notify the concerned Data Protection Authority of breach within 72 hours after we become aware of it. Depending on specific requirements, we will notify to Customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay. The Data Protection Officer is responsible for reporting to Customers about security incidents/breaches.

Customers will have a dedicated Customer Success Manager who will be the SPOC for reporting. The account owner/admin of the Customer’s LambdaTest platform will be notified of any security incident that has an impact on the Customer. If there are any email DLs, we will also be able to report the same. We are happy to contractually agree on such requirements with a mutual concurrence.

5.16. Business Continuity & Disaster Recovery...

Business Continuity Plan

LambdaTest has a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) defined and implemented to enable people, process, and technology support during any crisis or business interruptions. Appropriate roles and responsibilities have been defined and documented. LambdaTest Customer Success team will be responsible for communication and notification during a crisis.

Business Impact Assessment (BIA) is carried out for all applicable processes which form the basis for BCP & DRP. All critical operations, processes, and facilities are included as part of BIA, and accordingly BCP and DRP requirements are planned. Dependencies are identified and all strategies that are applicable have been considered as part of BCP and DRP requirements.

The BC and DR Plan is tested and reviewed on a yearly basis by the LambdaTest Information Security Officer (ISO) and approved by ISCSC (Information Security & Compliance Steering Committee). On a yearly basis, training on BCP and DRP requirements is provided to all relevant workforce members involved in the process. The BCP and DR plan of LambdaTest is reviewed and audited as part of ISO 27001 standards and SOC 2 Type II covering availability as one of the trust service principles.

Real-Time Back-Up

All data hosted on the cloud is synced real-time (with cross-regional network latency) across the AZs or to a separate AWS and Azure region other than the one which hosts Customer serving infrastructure. Each AWS and Azure AZ or region is designed to be completely isolated from the AWS and Azure regions & hence helps achieve the greatest possible fault tolerance and stability. Data sync happens in active -active model and is equipped to independently handle the load in case of any failures.

Fault Tolerance using High Availability & Redundancy

LambdaTest uses high availability solutions to provide continuous service to its Customers. LambdaTest provides the highly available/ high availability (HA) services using AWS and Azure Availability Zones (AZ) within the AWS and Azure region in which LambdaTest hosts the application for the Customers. Each AWS and Azure Data Center (DC) region has multiple isolated AZs. LambdaTest places resources and data in multiple of these locations within the region.

Each AZ is physically separated within metropolititan region, connected through low latency links, located in lower risk flood plains, supported by different grids for power supply and multiple tier-1 transit providers, UPS, and on-site backup generators, reducing Single Points of Failure (SPOF).

5.17. Endpoint Security...

Antivirus is deployed in all endpoints for protection against viruses and malware. On a periodic basis, signature updates are pushed to all systems. Cortex XDR is an AI and ML supported antivirus and antimalware which implements multiple methods of protection at critical phases of an attack lifecycle to prevent the execution of malicious programs and stop the exploitation of legitimate applications.

The system stops malware, exploits and ransomware before they can compromise the endpoints and provides protection both during online and offline modes.

All employees have company provided assets (ie. Laptops) for carrying out their responsibilities. These endpoints will have standard build deployed with MDM solutions for control and management of devices and are authenticated via single sign on (IAM) and two factor authentication.

All laptops and workstations are secured via full disk encryption and are provisioned off a centrally managed image. We apply updates to employee machines on an ongoing basis and monitor employee workstations for malware. We also have the ability to apply critical patches or remote wipe a machine via device manager. Wherever possible, we use two-factor authentication to further secure access to our corporate infrastructure.

Email Security

All emails are signed by the LambdaTest.com domain. The email are encrypted at transit.

5.18. Risk Management...

LambdaTest has developed a Risk Management Framework as part of the Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2013 standard. The information security and GRC team assess security risk annually and on an ongoing basis when any major internal changes occur or when significant events occur in the industry.

RA shall be performed on a recursive manner bi-annually or whenever any of the following changes occur:

  • Technology, infrastructure or process-related changes
  • Introduction/change of suppliers
  • Change the leads to exceptions to LambdaTest polices
  • Changes that affect the legal or regulatory requirements of the system
  • Any other changes that are considered to be significant by the management of LambdaTest

Sources for risks can be of the following nature, but not limited to:

  • Self-Assessment includes security and process risks
  • Customer Complaint /Feedback
  • Internal /External Audit
  • Regulatory Requirement
  • Security Incident /Event
  • Technology /Geo-Political Change

Key enablers such as people, premise, process, and technology shall be documented for each risk identified in the risk register to ensure appropriate control implementation.

Appropriate Risk treatment plans (Reduce Risk, Avoid Risk, Transfer Risk, Retain Risk) will be considered and approved by the CEO and Risk Owner. The risk assessment, top risk selection and risk treatment plans are reviewed, and progress is tracked by the ISCSC.

5.19. Vulnerability & Patch Management...

LambdaTest has the below process and control for handling vulnerabilities on our products and infrastructure.

Source Code

Secure coding guidelines based on OWASP Secure Coding Guidelines are shared with the engineering teams. The guidelines shall include but are not limited to Input Validation, Output Encoding, Session Management, Error Handling and Logging. Developers are also trained on the secure coding guidelines by the Application Security team at least on a yearly basis.

Product

On an annual basis, external VAPT for the product is performed by external third-party audit firms. This is a gray box testing where the external vendor is provided with an application walkthrough; automated scans for any identifying weakness in the application, OWASP top 10 vulnerabilities and manual tests covering application features such as authorization, authentication, session management, injection, input validation, transmission security.

Issues identified on all these activities are logged as tickets (internal tool) and are fixed by the respective teams as per defined vulnerability management process SLA. ( Critical -01 to 7days | High – 15days | Medium -30days | Low – 45days). Delays if any are notified to the respective department head and for exceptions to the CEO through risk tracker.

Cloud Infrastructure

LambdaTest uses AWS and Microsoft Azure for our infrastructure. All our network w.r.t to the product is managed by the LambdaTest cloud infrastructure team. The network components include EKS, Application server, Web server, cache, background servers, database servers, S3 are other components making up the application and data layer. Only the necessary traffic required for business are allowed, the rest all are blocked via security groups and NACL (network access control).

We use Docker containers, which are scanned internally daily via security hub and SNYK, and scans are performed for identifying security misconfigurations against CIS benchmarks.

LambdaTest application security team and DevOps team perform hardening on servers and network components against the CIS benchmark and ensure necessary hardening is in place.

LambdaTest runs quarterly scans using automated and manual test methods. We have subscribed to vulnerability database for our environment and trigger alert notifications. SIEM tool is used for continuous monitoring. Vulnerabilities identified are logged as ticket in internal tool and are fixed by the respective teams as per defined vulnerability management process and SLA.

Monitoring & Operations

The NOC (Network Operation Center) and SOC (Security Operation Center) teams are responsible for performing proactive monitoring of information security events and alerts and provide situational awareness through the detection, containment, and remediation of any suspected or actual security incidents. The team ensures that tactical rules and data sensors are configured to provide suitable early warning and alerts. The team works on 24x7 basis to identify, analyze, communicate, investigate, report on critical information security events.

Early warning signals have been configured that trigger alerts to our NOC and SOC teams based on event patterns and strict thresholds. The scope of monitoring is exhaustive and covers the network perimeter, all the service zones and we recognize events based on signatures, patterns, and corrections that catch false negatives and eliminate false positives. We are equipped to detect and mitigate persistent threats or DDOS, session hijack, login spoofs or any other data extraction strategies.

Patch Management

LambdaTest patch management process is governed by the applicable policy and standard to ensure that all patches, security and otherwise, are deployed in accordance with defined SLAs.

Testing and Scanning

  • LambdaTest conducts multiple types of security scans.
  • Those scans include internal, external, authenticated and unauthenticated scans.
  • These processes are conducted both by LambdaTest and third-party resources.

Note: Customers are not allowed to conduct their own scans without explicit permission. To request permission customers must work with their LambdaTest account teams in order to receive the appropriate authorization from the LambdaTest security team.

5.20. Control Assurance...

The GRC team within LambdaTest performs internal audits on a yearly basis for all the processes and controls defined. The audits findings are reported directly to the ISCSC. The GRC team tracks and reports the remediation of the audit findings till its closure.

The Security Product & Engineering (Application Security) team within LambdaTest provides the necessary training and guidelines for the Development and QA testing team on Secure coding and testing practices. Development team use static code analyzers for performing code review. Issues or vulnerabilities, if any identified, will be fixed by the development team and will be handed over to the QA team. The QA team will perform security testing manually and using tools and report the issues in tracking tool (Atlassian-Jira). Development team will fix the issues. This cycle of revalidation will continue until all the issues are addressed.

The Application Security team will perform vulnerability assessment and Penetration testing (VA & PT) on all LambdaTest products platform production environment in an iterative cadence cycle. As per cadence, the security team does Quarterly manual and automated web application penetration testing for LambdaTest platforms. For all other remaining environments (Staging, Pre-pod, development, testing), manual and automated penetration testing will be performed semi-annually. Application security team will report identified security vulnerabilities in the internal tool (Atlassian-Jira) and respective product team will be notified to resolve the reported vulnerabilities within the defined SLA.

External cyber security organizations are engaged to perform the independent VA & PT annually. Also, LambdaTest has been independently audited by one of the global audit firms based on the SOC 2 Type II framework covering security, confidentiality, process integrity, availability and privacy trust service principles.

5.21. Compliance...

LambdaTest ensures controls are in place to be aware of and complies with all applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards.

i. LambdaTest has established a formal Compliance Policy and Procedure, which addresses aspects of compliance required to be adhered to and fulfilled to LambdaTest’s Information Security, and Privacy Policies. This policy also addresses the legal and compliance requirements of relevant statutory legislation and contractual and regulatory obligations to which LambdaTest is supposed to adhere to protect its documents, records, and assets, thereby preventing the misuse of information processing facilities. Such efforts would help LambdaTest establish, maintain, and sustain the desired information security and privacy posture aligned with the LambdaTest strategic business plan, based on the best practices, standards, and principles.

ii. LambdaTest is committed to and conducts its business activities lawfully and in a manner that is consistent with its compliance obligations. The Legal and Regulatory Compliance (Compliance Policy) establishes the overarching principles and commitment to action for LambdaTest to achieving compliance by:

  • Identifying a clear compliance framework within which LambdaTest operates.
  • Promoting a consistent, rigorous, and comprehensive approach to compliance throughout LambdaTest.
  • Developing and maintaining practices that facilitate and monitor compliance within LambdaTest.
  • Seeking to ensure standards of good corporate governance, ethics, and community expectations.

iii. LambdaTest has been identifying all relevant regulatory and legislative requirements as per its contractual requirements and organization’s operational requirements and defining, documenting, and updating it on a regular basis.

iv. All records, as mandated by statutory/legal/regulatory authorities in India or of foreign origin, for which LambdaTest is responsible for compliance, will be protected from intentional or unintentional damage through natural causes.

v. The retention limit of statutory records will be as mandated by the applicable legislation. However, for business records/documents, the business group heads and or HODs shall determine the retention limit with justification.

vi. LambdaTest will always seek to protect the privacy of the personal information of its customers, employees, and third parties with whom LambdaTest has signed the third-party agreement. Divulging of facts will be done only in keeping with statutory /contractual /regulatory / legal requirements. Such information will always be protected from getting misused, leaked, or falsified or traded with any interested party knowingly or unknowingly.

vii. Where logs are required to be maintained as per contractual/regulatory/statutory/legal requirement, these will be maintained for a specified duration.

viii. Data or records that are no longer required for business, legal, and/or regulatory purpose will be disposed of securely.

ix. Legal restrictions on the use of assets in respect of which there are IPRs (such as copyright, software license, trademarks, design rights, and others) will be complied with.

x. Intellectual Property Rights of software programs, documentation and other information generated by or provided by LambdaTest users, consultants, and contractors for the benefit of LambdaTest, will be the property of LambdaTest.

xi. Intellectual Property Rights will be included in all contracts.

xii. Relevant statutory, regulatory, and contractual requirements for LambdaTest ’s information assets will be defined explicitly. Such requirements will include, but are not limited to:

  • Information Technology Laws (IT Act 2008/2011 Amended)
  • Software Licensing Requirements
  • Intellectual Property Rights (IPR) Laws
  • Labor and General Employment Laws
  • Health and Safety Laws
  • Environmental Laws

xiii. As part of the information security audits by independent consultants or body, the appropriate confidentiality and non-disclosure agreements will be signed with them. And any access granted to the external party shall be restricted immediately after completion of the audit.

xiv. Compliance requirements are used to enforce a minimum level of security and privacy within LambdaTest. These are by no means a “finish line” for security and privacy. The primary compliance standards will be:

  • EU GDPR
  • CCPA
  • LGPD
  • HIPAA
  • ISO 27001:2013
  • ISO 27017:2015
  • ISO 27701:2019
  • SOC 2 Type II assessment
  • Cloud Security Alliance STAR Level 1

xv. Information Security Program: LambdaTest agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data, Employee and third-parties data, as required by the Applicable Data Protection Law(s). Further, LambdaTest agrees to regularly test, assess, and evaluate the effectiveness of its Information Security Program to ensure the security of the Processing.

xvi. Any employee found to have violated this policy may be subject to disciplinary and/or legal action according to the LambdaTest Code of Conduct policy and Disciplinary process.

Please feel free to share your questions at security@lambdatest.com