Secure Software Development Lifecycle
This policy establishes secure development requirements for software and infrastructure changes deployed by Ouva.
Core Principles
Section titled “Core Principles”- Security and privacy requirements are considered during planning and design.
- Development, testing, and production environments remain logically separated.
- Changes are traceable from requirement through deployment.
Design and Implementation
Section titled “Design and Implementation”- New features and architectural changes receive technical and security review as part of the development process.
- Secure coding practices are followed for authentication, authorization, data handling, and error management.
- Secrets and credentials are managed through approved secret-management workflows and are never embedded in source code.
Code Review and Source Control
Section titled “Code Review and Source Control”- Production-bound changes are reviewed before release using peer review when available and CI-enforced checks.
- GitHub Advanced Security is enabled on production repositories, providing CodeQL code scanning for automated vulnerability detection, CodeQL code quality analysis, and enhanced secret scanning with AI-based detection, non-provider pattern matching, push protection, and validity checks.
- Repository permissions, deploy gates, and branch protection or equivalent controls are applied based on team structure and release workflow.
- Commit and change history is retained for auditability.
Testing and Verification
Section titled “Testing and Verification”- Automated checks run in CI for build integrity and quality gates.
- Security checks include dependency vulnerability scanning, CodeQL semantic code analysis, CodeQL code quality analysis, and Semgrep static application security testing.
- Secret scanning with AI detection and validity checks runs continuously to identify and verify exposed credentials before they reach production.
- High-risk changes receive targeted manual testing before release.
Release and Deployment
Section titled “Release and Deployment”- Deployments use controlled pipelines with scoped access.
- Production releases follow change management approvals and rollback readiness.
- Post-release monitoring verifies service health and security posture.
Vulnerability Management
Section titled “Vulnerability Management”- Vulnerability detection, triage, remediation timelines, and validation requirements are defined in the Vulnerability Management Policy.
- Security findings are prioritized based on severity, exploitability, and business impact.
- Significant findings and recurring issues feed back into design, coding, testing, and release controls.
Exceptions
Section titled “Exceptions”Exceptions to this policy require documented approval from a system owner and must include compensating controls and an expiration date.
For platform security controls and encryption, see Security & Privacy Controls. For detailed detection, remediation, and testing requirements, see Vulnerability Management Policy. For third-party provider security posture, see Third-party Services.