Secure software development

Introduction

We integrate information security and privacy within our project management and software development processes (from feature request to release). We do this through fixed project procedures, risk assessment within projects, and secure development practices (security by design and by default), supplemented with privacy by design principles where relevant. These practices are applied within the defined development and project procedures.

Detailed explanation

Project management

Security and privacy aspects are part of our standard project workflow. Relevant requirements and controls are recorded and monitored using tools (such as requirements, issue tracking, release management, and project documentation). This ensures that security aspects are embedded in the development and project process.

Risk assessment within projects

Within projects, we assess whether there are increased security or privacy risks, for example in the case of changes in authentication/authorization, data processing, data modifications, integrations, or dependencies with other services. Items with increased risk are treated as security-relevant and, where applicable, explicitly classified in our tooling (e.g., via security or privacy fields). Based on this, appropriate mitigation actions are planned and implemented.

Secure software development

We work according to “security by design” and “security by default” and apply secure engineering principles. This includes the following practices:

• use of proven technologies and frameworks

• (peer) code reviews, with additional requirements for high-risk changes

• attention to common vulnerabilities (such as OWASP-related risks)

• automated and manual testing

• automated code analysis and dependency vulnerability checks

• internal tooling and checks to identify security issues

For releases, manual checks for outstanding security issues are performed before software is rolled out to acceptance or production.

These practices are embedded in our development processes and supported by internal guidelines, tooling, and standard project procedures.

Privacy by design

Where relevant, we apply privacy by design principles, including data minimization, data separation, abstraction, and shielding. This supports the principle that personal data should only be processed when necessary and that processing should be limited and protected as much as possible.

Responsibilities

Responsibilities for security and privacy within projects are defined and supported by internal guidelines and procedures.