- We scan our containers and IaC as defined in the CI/CD Pipeline Vulnerability Scanning section below.
- As part of the release process, we will conduct a full scan of our product using Trivy and Checkov.
- Any high and critical vulnerabilities will need to be addressed before releasing.
- The artifacts from the scans are then archived.
We’re always happy for teams to request security code reviews. Besides directly looking at code to improve our security, we also:
- Keep growing our security team to expand, develop and mature the security program
- Embed new security practices to improve our secure SDLC
- Continue with improving our internal security training for developers
- Have a security ambassador program where a security engineer is involved in the early stages of the design of new features to give input and help identifying potential weaknesses of the product
- Have developed a new vulnerability management process which will limit the number of open vulnerabilities as we will have a much closer follow up with a new SLA