Expand | ||
---|---|---|
| ||
Does your organisation control access to program source code in a secure manner? Yes, we use GitHub. More information: https://commonplace.atlassian.net/l/cp/JdezF0MC |
Expand | |||||
---|---|---|---|---|---|
| Yes, in summary the stages are: Planning -> Defining -> Designing -> Building -> Testing -> Deployment. Security input exists at all stages, starting with a risk assessment at planning stage. |||||
More information: https://commonplace.atlassian.net/l/cp/BdsyNwhE |
Expand | ||
---|---|---|
| ||
Does your organisation develop applications and systems using security best practice (for example, by following the OWASP secure coding practices)? There are a number of strands to the Secure Development Methodology within Commonplace: Secure Development Policy: This sets out the areas of consideration to ensure development is in line with security requirements. This Includes: Risk assessments for development process, controls for outsourced development, security relating to public networks, testing of security requirements, source code repository controls, change control, required security training. Secure Development Principles: We operate in accordance with a base set of principles to ensure good practice. These are broken into 2 areas. General approach: This includes matters such as code peer reviews, shared responsibility for security, keeping up to date with latest practices, trends and technologies, close collaboration (daily standups, etc). Technical principles: This includes standardised handling of security features, use of automated testing for consistency, addressing security issues at the root level, continual investigation of tools to support vulnerability detection, architecture reviewed by senior engineers. |
Expand | |||
---|---|---|---|
| |||
Yes, in majority of cases. We have some free text inputs which do not require validation. There is a profanity / abuse / personal information checker on free text inputs but this does not use form validation. More information: https://commonplace.atlassian.net/l/cp/P1EHRM0T |
Expand | ||
---|---|---|
| ||
Does your organisation conduct threat modelling during the design phase of an application or system build? We maintain a security risk level indicator in all Jira tickets around data protection and info security from the point the Jira ticket is created. More information: https://commonplace.atlassian.net/l/cp/2CFm1bLS |
Expand |
---|
Snyk for identifying and fixing vulnerabilities in the code, open source libraries, and infrastructure as code |
Expand | ||||
---|---|---|---|---|
| ||||
More information: https://commonplace.atlassian.net/l/cp/HXTcKPXW |
Expand | |||
---|---|---|---|
| |||
Dummy data is used in develop and staging. Redacted data is used in pre-production. More information: https://commonplace.atlassian.net/l/cp/Rker5mYf |
Expand | ||
---|---|---|
| ||
Does your organisation ensure that all applications that it builds or procures are maintained with regular security patches? Yes, this is automated, wherever possible. More information: https://commonplace.atlassian.net/l/cp/oJoYSEM3 |
Expand | |||
---|---|---|---|
| |||
Annual penetration testing is completed via a third party provider. Any identified issues are assessed to understand severity within the context of the Commonplace platform and then fixes incorporated into our development lifecycle as required. More information: https://commonplace.atlassian.net/l/cp/uzLVKLeA |
Expand | ||
---|---|---|
| ||
Does your organisation ensure that appropriate logging and monitoring is in place for all applications or systems it develops? Yes, logging, monitoring and alerting is in place across the database, application and infrastructure. More information: https://commonplace.atlassian.net/l/cp/NzQYKSo3 |