Skip to content

Secure Software Development Lifecycle

This policy establishes secure development requirements for software and infrastructure changes deployed by Ouva.

  • Security and privacy requirements are considered during planning and design.
  • Development, testing, and production environments remain logically separated.
  • Changes are traceable from requirement through deployment.
  • New features and architectural changes receive technical and security review as part of the development process.
  • Secure coding practices are followed for authentication, authorization, data handling, and error management.
  • Secrets and credentials are managed through approved secret-management workflows and are never embedded in source code.
  • Production-bound changes are reviewed before release using peer review when available and CI-enforced checks.
  • GitHub Advanced Security is enabled on production repositories, providing CodeQL code scanning for automated vulnerability detection, CodeQL code quality analysis, and enhanced secret scanning with AI-based detection, non-provider pattern matching, push protection, and validity checks.
  • Repository permissions, deploy gates, and branch protection or equivalent controls are applied based on team structure and release workflow.
  • Commit and change history is retained for auditability.
  • Automated checks run in CI for build integrity and quality gates.
  • Security checks include dependency vulnerability scanning, CodeQL semantic code analysis, CodeQL code quality analysis, and Semgrep static application security testing.
  • Secret scanning with AI detection and validity checks runs continuously to identify and verify exposed credentials before they reach production.
  • High-risk changes receive targeted manual testing before release.
  • Deployments use controlled pipelines with scoped access.
  • Production releases follow change management approvals and rollback readiness.
  • Post-release monitoring verifies service health and security posture.
  • Vulnerability detection, triage, remediation timelines, and validation requirements are defined in the Vulnerability Management Policy.
  • Security findings are prioritized based on severity, exploitability, and business impact.
  • Significant findings and recurring issues feed back into design, coding, testing, and release controls.

Exceptions to this policy require documented approval from a system owner and must include compensating controls and an expiration date.

For platform security controls and encryption, see Security & Privacy Controls. For detailed detection, remediation, and testing requirements, see Vulnerability Management Policy. For third-party provider security posture, see Third-party Services.