Secure software development

Introduction

We integrate information security and privacy into our project management and software development processes, from feature request to release. This includes structured project procedures, risk assessments within projects, and secure development practices (“security by design” and “by default”), supplemented by privacy by design where relevant.

Detailed explanation

Project management

Security and privacy requirements are embedded in our standard project workflow and are recorded and monitored throughout the process, including via project documentation, issue tracking, and release management. This ensures that security aspects are consistently integrated.

Risk assessment within projects

Within projects, we assess whether changes introduce increased security or privacy risks, for example in authentication, data processing, integrations, or dependencies. Where higher risks are identified, items are explicitly treated as security-relevant and appropriate mitigation measures are defined and implemented.

Secure software development

We apply secure development practices based on “security by design” and “security by default,” supported by internal guidelines, tooling, and standard procedures. This includes:

• use of proven technologies and frameworks

• (peer) code reviews, with additional requirements for high-risk changes

• attention to common vulnerabilities (e.g. OWASP)

• automated and manual testing

• automated code analysis and dependency vulnerability checks

Before release, manual checks are performed to ensure no outstanding security issues remain prior to deployment to acceptance or production environments.

Privacy by design

Where relevant, we apply privacy by design principles, including data minimization, data separation, abstraction, and shielding. This supports the principle that personal data should only be processed when necessary and that processing should be limited and protected as much as possible.

Responsibilities

Responsibilities for security and privacy within projects are defined and supported by internal guidelines and procedures.