Our continuous improvement cycle includes processes and incident handling regarding customer experience, service and support, security and compliance. We periodically (at least annually) have an renowned external 3rd party perform elaborated security testing on our environments. Whenever we have a major change, we have them perform interim testing. We have customers/partners in highly regulated sectors who require their own security assessments which we facilitate.
Ensuring our source code is secure is a continuous effort in Mavim, rather than a one off activity. We have adopted the DevSecOps and Microsoft Secure Development Lifecycle methodology and have a group continuous improvement cycle which feeds into DevOps as well. We employ a full-time dedicated security officer in charge of our security and compliance that includes auditing our DevOps team who are in charge of our code. In case of a major security incident we are able to deploy a security patch to all our customer environments within 1 hour.
The Mavim development team uses an agile approach to software development. Microsoft DevOps and scrum are used to achieve this. Within the scrum way of working, we use the Definition of Done (D.O.D.), which includes development, UI design, UI review, translations, code review, security review, (unit) testing and documentation. All new staff including developers are trained upon joining in our mandatory security training, which is update4d and repeated each year. We offer specific security training to our developers and reserve time in their sprint to perform security checking.
We apply the following coding practices: Server-side input validation, define per-URI access control, set "Xframe options: sameorigen" header, no sensitive information passed through URL, Prepared statements (parameterized queries) for all database requests, Output validation (escape/encode all output data), Disable unused HTTP methods, Custom error handling (generic error messages only), Set CSRF token for critical (finance, personal, administrative) transactions and links, Specify the content type and character set used to encode the HTTP response data for web pages.
Daily we perform Static Application Security Testing (SAST), and at least annually we perform Dynamic Application Security Testing (DAST) of our interfaces, without any filters such as a web application firewall. For ongoing vulnerability and code scanning we use highly recommended tooling like; SonarCloud, CredScan, WhiteSource bolt, Roslyn Analyzers etc.
We encourage people to let us know any vulnerabilities or oversights in security. Once confirmed valid, we have a nice gift in store for you. You can report vulnerabilities here: firstname.lastname@example.org.