Security of our software development process

Access control

We use an identity provider, which enforces minimum password requirements and multi-factor authentication.

We require our vendor applications to have two-factor authentication or use SSO with our identity provider.

Our internal applications are part of a zero-trust setup via OAuth and OIDC.

We gate access to our codebase using Github.

Developer credentials are rotated based on a set schedule in an automated fashion.

Change management

We follow industry standard best practices when it comes to updating and deploying our code.

We leverage automated tools to scan our code for a variety of issues, including syntax errors, code style, code quality, CVEs in our container builds, outdated dependencies and more.

Before code is merged to our master branch, we run automated tests against the build for this code change.

All code merged to our master branch must also be reviewed by a human being as well through a pull request.

We have an automated process for deploying our code changes to production.

We leverage Terraform, an infrastructure as code tool, to track changes to our infrastructure.

Device management

We require developer machines to have full hard disk encryption.

Developers are required to use Chrome as their browser.

Miscellaneous

All vendor products we use go through a security review and are tracked internally with documentation.

We have internal security policies that employees are trained to follow. These include: remote access, information logging, acceptable encryption, acceptable use, and web application security policies.