Q: Does your organization perform Application Programming Interface (API) security reviews?
A: Yes, our reviews are conducted during API development and after testing and debugging, before deployment.
Q: Does your organization perform secure source code reviews with automated tools on a regular basis? Provide some evidence.
A: No, this is currently done manually, but we are planning to automate this process with tools in 2025.
Q: Is program source code secured and access restricted to designated personnel?
A: Yes, GitLab is our platform for code management, versioning, and deployment, with access restricted to designated personnel.
Q: Does your organization adhere to segregation of duties between personnel within the dev/test/QA environments and those in the support of the production environment?
A: Yes, we maintain strict segregation of duties. Our development, testing, and QA teams work within their respective environments, while only designated personnel have access to the production environment. This ensures security, minimizes risks, and prevents unauthorized changes from being deployed directly to production.
Q: Does your organization protect the non-production (i.e. development, testing) environments for the products/services?
A: Yes, our development and testing environments are protected with the same security measures as our production environment. This includes Web Application Firewalls (WAF), firewalls, malware scanners, and antivirus protection to ensure the integrity and security of our systems.
Q: Are secure coding practices mandated for all software development projects?
A: Yes, we enforce secure coding practices for all development projects. Our team follows best practices such as input validation, secure authentication mechanisms, and protection against common vulnerabilities (e.g., SQL injection, XSS). Code reviews and security checks are conducted before deployment.
Q: Do you conduct third-party risk assessments for libraries or modules used in your software?
A: No, we do not conduct formal third-party risk assessments. However, we strictly use well-established and widely trusted libraries, primarily those maintained by reputable organizations and widely adopted in the industry. We also monitor for any security advisories related to these libraries.
Q: Do you have a defined escalation process for high-severity incidents?
A: Yes, we have an incident management process that outlines the steps for identifying, classifying, and escalating high-severity incidents.
Q: Is an incident post-mortem conducted for each security breach or incident?
A: Yes, after any security-related incident, we conduct a post-mortem analysis. This includes identifying the root cause, assessing the impact, and implementing corrective measures to prevent recurrence.
