TRUST > PRODUCT SECURITY
Secure By Design
Encompasses Security imperatives that also drive Privacy principles in support of meeting Customer requirements.
We understand that our products are used by Customers who rely on Snapdocs for critical business processes. From processing a loan document to facilitating electronic signatures, Customers rely on our products and services to facilitate mortgage closings. It is, therefore, imperative for us to ensure we are addressing Security, Compliance and Privacy throughout our product development lifecycle. At the same time, we are making sure that once the product is made available, it is sufficiently resilient to unforeseen disruptions, whether operational in nature or due to a Security incident.
Secure Software Development Lifecycle (S-SDLC)
Snapdocs has adopted an S-SDLC framework that supports agile methodologies without adding significant friction in product development. The S-SDLC establishes a framework and sets guidelines for product and non-product Engineering teams within Snapdocs. As a cloud provider, delivering product releases in a timely fashion is critical to the success of our business. However, given the societal impact of how our Customers utilize our products, we must balance speed with Security, and more importantly, Safety. From an organizational perspective, the S-SDLC establishes direction for product safety, quality and reliability, with the goal of reducing security risk exposure for Snapdocs and its customers.
With decades of experience in application security, Snapdocs does not believe in complexity and adding significant friction to existing development practices and build pipelines. We are leveraging industry accepted secure development practices and have built an S-SDLC framework that is easy to follow and which Developers and Engineers in the cloud industry are familiar with.
Although these phases are not meant to act as a gating mechanism, since we do not believe in such an approach, they are rather logical segmentation of critical aspects of what composes the S-SDLC. The following are just some of the more critical aspects or functions of the S-SDLC supported by one or more of the phases above.
Developer Security Training
Ongoing courses provided to developers in order to improve their understanding of techniques for identifying and mitigating security vulnerabilities. Training will focus on topics including threat modeling, DAST testing, and coding techniques to prevent common defects such as SQL injection.
A collaborative effort between the Development/Engineering teams and Cyber Security to assess and develop application or service design patterns that mitigate risk to the platform and associated applications and services. Both Security and Privacy factors into the overall design of our products.
A structured approach for analyzing the security of an application, with special consideration for boundaries between logical system components, which often communicate across one or more networks.
Security User Stories / Security Requirements
A description of functional and non-functional attributes of a software product and its environment which must be in place to prevent security vulnerabilities and mitigate against factors that threaten Privacy. Security user stories are written in the style of a functional user story, as it would be entered into an Agile-oriented tool like Jira.
Automated Dynamic Application Security Testing (DAST)
A process of testing an application or software product in an operating state, implemented by a web application security scanner.
Automated Static Application Security Testing (SAST)
A process of testing an application or software product in a non-operating state, analyzing the source code for common security vulnerabilities.
Open Source Software Security Testing (OSS)
A process of testing an application or software product for opensource security vulnerabilities as well as license compliance.
Infrastructure as Code Testing (IaC)
A process of assessing and testing cloud infrastructure deployment scripts to identify risks before deployment.
Hands-on security testing of a runtime system. This sort of testing uncovers more complex security flaws that may not be caught by DAST or SAST tools.
Continuous Risk Assessment
means to identify and manage risk during the system build or product development lifecycle.