Secure Development Lifecycle
By following SDL best practices, we ensure that security is embedded into every stage of the software development lifecycle. This allows us to minimize vulnerabilities and boost our overall security posture.
Our secure coding practices and guidelines are based on OWASP standards and include various measures such as: strong authentication and password management using MFA or biometric authentication, proper access controls for different users and roles, end-to-end data encryption to protect sensitive information. Our other strong security coding practices comprise secure communication protocols to prevent unauthorized access or interception, input validation and sanitization to avoid injection attacks or malicious code, error handling and logging to monitor and troubleshoot issues, and third-party dependencies tracking to ensure up-to-date and secure software components.
For code review, we use a mix of OWASP-recommended SATS tools and human verification of the results to ensure code quality and security. Some of the tools we use are: OWASP SonarQube Project, OWASP Orizon Project, OWASP LAPSE Project, OWASP O2 Platform and OWASP WAP.
Security testing is an integral part of the global Quality Management Program. This way, all the deliverables are tested for security issues such as vulnerabilities, penetration and other risks. Our testing team uses comprehensive checklists that test various aspects such as configuration and deployment management, identity management, authentication, session management, input validation, weak cryptography and business logic.
DevSecOps
We follow carefully elaborated DevSecOps practices that ensure our teams operate safely in the client’s virtual environment.
We use remote desktops (VPN access only) for different roles and purposes, such as Microsoft Remote Desktop for BAs, PMs and DMs, and KVDI for developers, QA and DevOps. We store our code in GIT repository in Azure DevOps (access via dedicated corporate account with MFA), apply additional access policies for the client repositories and branches in the Azure cloud and establish separate working environments with different access levels for each talent. Jira Atlassian or Azure DevOps are our choices for issue tracking (access is managed by the client or Symfa) and Confluence Atlassian is our knowledge base storage (access is managed by Symfa).
Disaster Recovery Plan
A formal Disaster Recovery Plan at Symfa is aimed to restore quickly the network file servers and infrastructure in the event of a disaster, so that the digital assets of our clients remain intact. We do BCP/DR backup rotation with annual DR tests completed. To prevent loss of systems, backups and systems checks are done on a monthly basis. Checking all the facilities regularly and having backup hardware available is a vital routine practice at Symfa. To address talent shortages in case we need more employees to support our systems, we’ve created a pool of pre-qualified candidates and emergency subcontractors.
Coming Soon: Symfa's Software Security Guide
Wait for our comprehensive Symfa Software Security Guide, where, besides a more detailed coverage of the above aspects, we’ll talk about Network/Infrastructure security, Data security, and Regulatory compliance principles that Symfa's teams adhere to. We’ll also shed some light on how we follow security protocols for our major clients working in a strictly regulated environment.
Stay with Symfa for regular updates on the best software development practices and topical industry insights.