Controls

Software Development

STATUS

CONTROL

Compliant

Defining application security standards

A set of security standards must be defined for applications prior to development, at a minimum complying with OWASP Top 10.

Compliant

Implementing a bug bounty program

The organization maintains a bug bounty program for its applications and systems.

Compliant

Automated vulnerability scanning

Applications must undergo black-box vulnerability scanning before being deployed to production.

Compliant

Threat modeling

Threat modeling includes building data flows and risk analysis for new features/products starting from the design phase of the product.

Compliant

Open-source security

Open-source software used in the system must undergo security checks before being implemented.

Compliant

Application access control

Users accessing features with critical data are required to authenticate (no anonymous access).

Compliant

Continuous system monitoring

Applications and IT systems are continuously and automatically monitored to detect issues in real-time.

Compliant

Application pentesting

Applications must be pentested by experienced security experts before being deployed to production.

Compliant

Source code security testing

Applications must undergo source code review before being deployed to production to ensure no secret keys are exposed and no simple security vulnerabilities exist.

Compliant

Source code management

Source code must be centrally stored in repositories such as GitHub, Bitbucket, or GitLab.