- handbook
- Company
- Company
- Board
- Communications
- KPIs and OKRs
- principles
- Remote Work
- Security
- Access Control Policy
- Data Management Policy
- Information Security Roles and Responsibilities
- Operations Security Policy
- Information Security Policy and Acceptable Use Policy
- Secure Development Policy
- Cryptography Policy
- strategy
- values
- vision
- Operations
- Product
- Development & Design Practices
- Design
- Development
- contributing
- Front End
- How We Work
- Markdown How-To
- packaging
- Releases
- security
- staging
- Using Git
- Website A/B Testing
- Internal Operations
- Legal
- People Ops
- Sales & Marketing
- Marketing
- blog
- Boiler Plate Descriptions
- Content Channels
- Content Types
- HubSpot
- Marketing
- Marketing - Website
- Video
- Webinars
- sales
# Secure Development Policy
| Policy owner | Effective date |
|---|---|
| @knolleary | 2023-05-01 |
# Purpose
To ensure that information security is designed and implemented within the development lifecycle for applications and information systems.
# Scope
All FlowForge applications and information systems that are business critical and/or process, store, or transmit Confidential data. This policy applies to all internal and external engineers and developers of FlowForge software and infrastructure.
# Secure Development Policy
FlowForge policy requires that:
-
FlowForge software engineering and product development is required to follow security best practices. Product should be "Secure by Design" and "Secure by Default".
-
Quality assurance activities must be performed as part of the routine development process. This includes, but not limited to:
- suitable unit testing included with any change request,
- peer code reviews prior to merging changes,
- continual automated testing
- manual product testing and verification prior to release to production
Code reviews should also cover documentation and tests to ensure our definition of done is achieved.
-
Risk assessment activities (i.e. threat modeling) must be performed for a new product or major changes to an existing product.
-
Security requirements must be defined, tracked, and implemented.
-
Security analysis must be performed for any open source software and/or third-party components and dependencies included in FlowForge software products.
-
Static application security testing (SAST) must be performed throughout development and prior to each release.
-
Dynamic application security testing (DAST) must be performed prior to each release.
-
All critical or high severity security findings must be remediated prior to each release.
-
All critical or high severity vulnerabilities discovered post release must be remediated in the next release or within the defined, predetermined timeframe.
-
Any exception to the remediation of a finding must be documented and approved by the CTO.
## Secure Development Environment
FlowForge uses separate Staging and Production systems. These are logically segregated environments in different AWS accounts.
The Production environment is classified Critical with suitable controls in place to limit access to the infrastructure.
Policy derived from JupiterOne/security-policy-templates (CC BY-SA 4 license) and Vanta