Secure development
Introduction
Secure software development is crucial to safeguard supplier, customer or other information, to prevent unauthorised access and mitigate the risk of threats, ensuring the integrity, confidentiality, and availability of digital systems. Altus Group has adopted the NIST Secure Software Development Framework (SSDF) and its governing principles.
Our guiding principles
A Security mindset is established and maintained throughout software architecture, design, and delivery processes.
We have no tolerance for the loss of, or otherwise unauthorized or accidental disclosure of customer or other sensitive information. Producing secure by default and resilient services is a key guiding principle for Altus Group when designing and developing those services.
We develop software securely, not as a separate activity layered on top of or placed after “normal software development,” but rather a fully integrated process that touches all aspects and involves all levels of the software and product development capability.
Software is developed securely and integrated within the established software development and technology delivery processes, engaging all levels of the software and product development capability.
We define and manage a process to Document, Enumerate, Evaluate and Mitigate or Risk Accept Risks, Threats or Vulnerabilities with an audit trail and management signoff.
Skills and training
Altus Group ensures that our people, processes, and technology are prepared to perform secure software development. Employees at Altus Group involved in the software development lifecycle (SDLC) are equipped and prepared to perform their SDLC-related roles and responsibilities throughout the SDLC.
Standards, processes, patterns and guidelines
We require that our people, processes, and technology are prepared to perform secure software development at the organization level. We follow the Altus Group established SDLC standards and processes New patterns follow our approved processes before they are formally adopted and approved
Credential and access management
Credentials control access to safeguard supplier, customer or other information, Deploying a sound credential management system or several credential management systems is critical to secure all systems and information and avoid unauthorized access.
We store credentials and secrets in Altus Group approved repositories or vaults
Credentials or secrets in code are not embedded in code
Credentials or secrets are not shared with anyone directly
Access to production environments is restricted to enterprise operations personnel only
Architecture and design
During the architecture and design phases we identify and document security requirements for Altus Group’s software development infrastructures, processes and Altus Group developed software and maintain these requirements over time.
Automation and toolchains
Implementing supporting toolchains helps us use automation to reduce human effort and improve accuracy, reproducibility, usability, and comprehensiveness of security practices through the SDLC.
Established industry security practices are used to deploy, operate, and maintain tools and toolchains.
Software is configured to have hardened security settings by default
Vulnerability management
We Identify vulnerabilities, including by use of automated scanning tools, so they can be corrected before software is released to prevent exploitation. Vulnerabilities must be disclosed and remediated following the vulnerability management process.
Risk management and threat modelling
Identifying and evaluating the security requirements for the software, determines what security risks the software is likely to face during operation and how the design and architecture will mitigate these risks, address security requirements and risks during software architecture and design is key to improving software security.
Product teams carry out risk or threat modelling for components and capabilities and use the outputs to inform the design and implementation of the software.
We understand threats across data management, business process, systems, and components and these are recorded, and mitigated
Threat modelling is conducted at the design phase during software development using appropriate methodologies and countermeasures are implemented before go-live
Environment and code management
Implementing and maintaining secure environments to protect source code from unauthorized access and tampering.
We separate and protect each environment involved in software development
We follow requirements for protective controls to protect the intellectual property of the designs or code being developed
We do not publish code developed for Altus Group in public repositories outside of approved Altus Group repositories
We require meaningful code reviews
Access permissions to code and repositories is be reviewed on a regular basis
We follow secure coding practices that are appropriate to the development languages and environment to meet Altus Group’s security requirements
Testing
We test executable code to identify vulnerabilities and verify compliance with security requirements.
Our systems have the appropriate level of security testing
Release management / deployment
Release management ensures that release teams efficiently deliver the software applications and upgrades required by the business while maintaining the integrity of the existing production environment
We follow the established product release and change management processes including release of supporting documentation
Software deployments are performed in a fully automated manner
Software updates are implemented as routine activities and maintenance processes are automated