Secure Development Policy
Recognizing that dbFront will be installed all over the globe and with direct access to important client data, we understand the need to ensure that our development environment, tools and processes result in secure, quality software.
Attitude
Secure development starts with a security-first mindset that goes much deeper than the feature list. Security is baked deeply into dbFront and shows up in the Layered Security model.
We also expect code, processes and people to fail, so dbFront includes robust Logging and Audit functionality so you can reasonably track down what happened.
Tools
Our toolset starts with Visual Studio and C#. Not only is C# a robust and safe programming language, but the extensive ability to reliably refactor code in Visual Studio ensures that we can incorporate new functionality or rework existing code while maintaining the stability of the application.
Our workstations and servers are required to have: encrypted drives with current patches, backups, and antivirus.
Change Management
To ensure that we can easily track changes and service previous versions of dbFront, we employ version control that spans back to 2012.
Version control also facilitates code reviews and helps ensure that only intended changes are released and shipped.
Release Validation
In order to ensure a quality product, we have the following release steps:
- Use a build server so we can provide consistent builds,
- Validate each release using a series of automated scripts to ensure there are no regressions,
- Test on our Demo/Test server that automatically resets to a fresh state every hour.
- Test all release components against VirusTotal to ensure that each release is safe,
- Run 3rd party penetration tests against dbFront to hunt for weaknesses. For details see: Penetration Testing
Notifications
To ensure that all clients are aware, dbFront checks daily for updated versions of itself and will initiate an internal administrative alert (screen, email, or Syslog) if a security issue has been fixed.
We deliver dbFront releases in such a way that existing users will only be notified about updates that are as or more stable than what they are currently running.
In addition, the dbFront website also allows users to subscribe for notifications via email or twitter.