SECURITY WHITEPAPER
SECURITY WHITEPAPER
Security Requirements and Security Architecture
Secure Architecture Design looks at the selection and composition of components that form the foundation of your solution , focusing on its security properties .
Implementation |
Secure Build |
Giflow is an alternative Git branching model that involves the use of feature branches and multiple primary branches . Under this model , developers create a feature branch and delay merging it to the main trunk branch until the feature is complete . |
Mandatory cross team peer review and tooling such as SonarQube and OWASP scans are performed upon every pull request as part of automated build pipelines .
All builds are processed by centralized tooling without access of individual developers .
Secure Deployment
Our deployment process focuses on removing manual error by automating the deployment as much as possible and making its success contingent upon the outcomes of integrated security verification checks . It also fosters Separation of Duties by making adequately trained , non-developers responsible for deployment .
Deployment process is staged , providing at least 4 independent checkpoints between build , development environment deployment , staging , quality control environment , pre-production , external QA and production .
Security Testing
STRIDE analyses are reviewed at the end of every development sprint and feed back to the development .
RELEASE MANAGEMENT
One of Y Soft ’ s greatest advantages is a rapidly advancing feature set , and we constantly optimize our products through a modern continuous delivery approach to software development .
New code is proposed , approved , and merged thousands of times daily . Code reviews , testing ( where applicable ), and merge approval is performed before deployment . Approval is controlled by designated repository owners . Once approved , code is automatically submitted to Y Soft ’ s continuous integration environment where compilation , packaging and unit testing occur .
All code deployments create archives of existing production-grade code in case failures are detected by post-deploy hooks . The deploying team manages notifications regarding the health of their applications . If a failure occurs , rollback is immediately engaged .
YSoft SAFEQ Cloud - 19 - YSOFT . COM