- handbook
- Company
- Company
- Board
- Communications
- Decision making
- Guides
- KPIs and OKRs
- principles
- Remote Work
- Security
- Asset Management Policy
- Business Continuity & Disaster Recovery Policy
- Information Security Roles and Responsibilities
- Operations Security Policy
- Risk Management Policy
- Third-Party Risk Management Policy
- Human Resources Security Policy
- Access Control Policy
- Incident Response Plan
- Cryptography Policy
- Information Security Policy and Acceptable Use Policy
- Secure Development Policy
- Data Management Policy
- strategy
- values
- Operations
- Product
- Feedback
- Market Segments
- Metrics
- Node-RED Dashboard
- personas
- Pricing Principles
- Principles
- Responsibilities
- Strategy
- Versioning
- Customer department
- Customer
- Customer Success
- Hubspot
- Marketing
- How we work
- Marketing
- Video
- Customer Stories
- Social Media
- blog
- Community
- Marketing - Website
- FlowFuse Messaging
- Webinars
- Sales
- Engineering & Design Practices
- Design
- Engineering
- Certified Nodes
- contributing
- Front End
- Packaging Guidelines
- Platform Ops
- Deployment
- Incident Response
- Observability
- Production Environment
- FlowFuse Dedicated
- Staging Environment
- Project Management
- Releases
- Security Policy
- tools
- Website A/B Testing
- Internal Operations
- People Ops
# Secure Development Policy
| Policy owner | Effective date |
|---|---|
| @knolleary | 2023-05-01 |
# Purpose
To ensure that information security is designed and implemented within the development lifecycle for applications and information systems.
# Scope
All FlowFuse applications and information systems that are business critical and/or process, store, or transmit Confidential data. This policy applies to all internal and external engineers and developers of FlowFuse software and infrastructure.
# Secure Development Policy
FlowFuse policy requires that:
-
FlowFuse software engineering and product development is required to follow security best practices. Product should be "Secure by Design" and "Secure by Default".
-
Quality assurance activities must be performed as part of the routine development process. This includes, but not limited to:
- suitable unit testing included with any change request,
- peer code reviews prior to merging changes,
- continual automated testing
- manual product testing and verification prior to release to production
Code reviews should also cover documentation and tests to ensure our definition of done is achieved.
-
Risk assessment activities (i.e. threat modeling) must be performed for a new product or major changes to an existing product.
-
Security requirements must be defined, tracked, and implemented.
-
Security analysis must be performed for any open source software and/or third-party components and dependencies included in FlowFuse software products.
-
Static application security testing (SAST) must be performed throughout development and prior to each release.
-
Dynamic application security testing (DAST) must be performed prior to each release.
-
All critical or high severity security findings must be remediated prior to each release.
-
All critical or high severity vulnerabilities discovered post release must be remediated in the next release or within the defined, predetermined timeframe.
-
Any exception to the remediation of a finding must be documented and approved by the CTO.
# Secure Development Environment
FlowFuse uses separate Staging and Production systems. These are logically segregated environments in different AWS accounts.
The Production environment is classified Critical with suitable controls in place to limit access to the infrastructure.
Policy derived from JupiterOne/security-policy-templates (CC BY-SA 4 license) and Vanta