| Expand | ||
|---|---|---|
| ||
Does your organisation control access to program source code in a secure manner? Yes, we use GitHub. More information: https://commonplace.atlassian.net/l/cp/JdezF0MC |
| Expand | ||
|---|---|---|
| ||
Does your organisation have a documented and approved software development life-cycle (SDLC) process that includes security input? Yes, in summary the stages are: Planning -> Defining -> Designing -> Building -> Testing -> Deployment. Security input exists at all stages, starting with a risk assessment at planning stage. More information: https://commonplace.atlassian.net/l/cp/BdsyNwhE |
| Expand | ||
|---|---|---|
| ||
Does your organisation develop applications and systems using security best practice (for example, by following the OWASP secure coding practices)? There are a number of strands to the Secure Development Methodology within Commonplace: Secure Development Policy: This sets out the areas of consideration to ensure development is in line with security requirements. This Includes: Risk assessments for development process, controls for outsourced development, security relating to public networks, testing of security requirements, source code repository controls, change control, required security training. Secure Development Principles: We operate in accordance with a base set of principles to ensure good practice. These are broken into 2 areas. General approach: This includes matters such as code peer reviews, shared responsibility for security, keeping up to date with latest practices, trends and technologies, close collaboration (daily standups, etc). Technical principles: This includes standardised handling of security features, use of automated testing for consistency, addressing security issues at the root level, continual investigation of tools to support vulnerability detection, architecture reviewed by senior engineers. |
| Expand | ||||
|---|---|---|---|---|
| ||||
More information: https://commonplace.atlassian.net/l/cp/P1EHRM0T |
| Expand | ||||
|---|---|---|---|---|
| ||||
More information: https://commonplace.atlassian.net/l/cp/2CFm1bLS |
| Expand |
|---|
We use a range of monitoring tools to ensure that the Commonplace platform remains secure during the development lifecycle. These include: AWS CloudWatch for detecting suspicious activity within the Commonplace platform |
| Expand | |||
|---|---|---|---|
| |||
Yes, we operate separate environments for development, staging, pre-production and production. Engineers are only granted access as required to perform their duties. More information: https://commonplace.atlassian.net/l/cp/HXTcKPXW |
| Expand | ||
|---|---|---|
| ||
Does your organisation use dummy test data when undergoing testing of systems (and not live production data)? Dummy data is used in develop and staging. Redacted data is used in pre-production. More information: https://commonplace.atlassian.net/l/cp/Rker5mYf |
| Expand | ||
|---|---|---|
| ||
Does your organisation ensure that all applications that it builds or procures are maintained with regular security patches? Yes, this is automated, wherever possible. https://commonplace.atlassian.net/l/cp/oJoYSEM3 |
| Expand | ||
|---|---|---|
| ||
Does your organisation conduct regular penetration tests of any applications or systems that it develops? Annual penetration testing is completed via a third party provider. Any identified issues are assessed to understand severity within the context of the Commonplace platform and then fixes incorporated into our development lifecycle as required.https://commonplace.atlassian.net/l/cp/uzLVKLeA |
| Expand | ||
|---|---|---|
| ||
Does your organisation ensure that appropriate logging and monitoring is in place for all applications or systems it develops? Yes, logging, monitoring and alerting is in place across the database, application and infrastructure.https://commonplace.atlassian.net/l/cp/NzQYKSo3 |