Product Security Policies at Digizuite

Owned by Per Bendsen
Last updated: Nov 18, 2022
2 min read

The following outlines the processes at Digizuite addressing security but details are by design omitted and it is not the full exhausted list of initiatives.

a.     Before all releases – major and minor – a penetration test is performed by a 3rd party under the supervision of Digizuite’s security officer.  Releases do not pass if there are critical, high, or medium issues identified which are not assessed and handled.  Issues tagged as “low” (or similar) are assessed and a) added to the development backlog or b) addressed immediately.

b.     Before all releases a static code analysis is performed using a 3rd party tool with focus on:

  • Listing known vulnerabilities in all 3rd party components.  If there are components with vulnerabilities these are updated before the software is released.

  • Listing licenses type of all 3rd party components.  Copyleft (e.g. GNU, GPL) licenses are strictly never allowed. Permissive (e.g. MIT) licenses, specific purchased licenses, or other approved by the security officer are allowed.

c.     Before all releases the software is tested by the QA team inside R&D and a Factory Acceptance Test (FAT) is performed by the consultants in Digizuite’s service organisation.

d.     Before all releases a performance and load test is performed internally by R&D to ensure that the latest solution performs desirable under heavy load and does not break nor leak information due to stress.

e.     During development all code is reviewed by a peer at check-in and all code changes are linked to a) a task or b) a fix of a software defect.  All check-ins are captured together with reviewer and developer identifications.

f.      Customers – or a partner – may in coordination with Digizuite perform penetration testing or other vulnerability assessment tests.  Depending on contractual agreements Digizuite will give identified vulnerabilities classified as critical and high – if such are identified – immediate attention. Issues classified as low or medium will be evaluated before the planning of the following major or minor release.  It is a concern that changes made to handle low severity findings may introduces other risks.