Development security

  1. Technologies & updates
    1. Indicate technologies involved
    2. Indicate technical data flows involved (ingress, egress)
    3. Are sources available, can we access source code repositories?
    4. Describe your software update policy/frequency
    5. Do you commit to correct security vulnerabilities detected on your code in less than a week after detection, and at no additional cost?
    6. How are code changes reviewed and approved?
    7. How are OS, application, and third-party library vulnerabilities monitored and patched?
    8. Do you commit to update third party components in less than a week after publication of security updates, and at no additional cost?
  2. Security in development
    1. (If visitors can create their own accounts) Describe how user accounts are managed in your code and the components you use
    2. Describe how admin accounts are managed in your code and on components you use
    3. How are client accounts created?
    4. Does your service allow central authentication? (SSO, SAML, ADFS…)
    5. Does your service allow strong, multi-factor authentication?
    6. Are there generic admin accounts?
    7. Describe web services exposed on the internet
    8. Describe web services exposed on your intranet

Indicate technologies involved

LAMP server. Linux, Apache, MySQL and PHP.

Indicate technical data flows involved (ingress, egress)

HTTPS for all web portal traffic

Are sources available, can we access source code repositories?

No

Describe your software update policy/frequency

As is necessary

Do you commit to correct security vulnerabilities detected on your code in less than a week after detection, and at no additional cost?

Yes, always.

How are code changes reviewed and approved?

 

All code changes go through a standard, secure and structured change management process. Specifically, but not always limited to:

  • Version Control – All changes are tracked in Git, ensuring full history and accountability.
  • Peer Review – Developers submit changes via pull requests, which are reviewed and approved by senior engineers before merging.
  • Automated Testing – Every change passes automated unit and integration tests to ensure functionality and security have not been compromised.
  • Staging Environment – Approved changes are deployed to a staging environment for further QA and UAT before production release.
  • Release Approval – Only after successful testing and review are changes approved for deployment into production.

How are OS, application, and third-party library vulnerabilities monitored and patched?

We operate a proactive vulnerability management program that covers operating systems, applications, and third-party libraries. Key elements include:

  • Dependency Management – Our CI/CD pipeline includes automated dependency scanning (e.g., OWASP, NPM, Composer) so outdated or vulnerable libraries are flagged immediately.
  • Patch Management – Updates and patches are applied promptly through a structured patch management process, with testing in staging before production deployment.
  • Security Feeds & Alerts – We subscribe to vendor security advisories and industry feeds to ensure zero-day alerts are tracked in real time.
  • Automated Monitoring – We use automated tools to continuously scan for known vulnerabilities in our stack, including OS packages and third-party libraries.

Do you commit to update third party components in less than a week after publication of security updates, and at no additional cost?

Yes, always.

(If visitors can create their own accounts) Describe how user accounts are managed in your code and the components you use

Visitors are not able to create their own accounts

Describe how admin accounts are managed in your code and on components you use

They will be given admin permissions. Password should be min 6 chars. No lockout. They can use forgotten password page or we can reset their password manually. Account can be deactivated or removed if it needs to

How are client accounts created?

Through an admin web portal.

Does your service allow central authentication? (SSO, SAML, ADFS…)

Upon request

Does your service allow strong, multi-factor authentication?

We can use:

  • One factor auth
  • Two factor auth (Google authenticator)
  • SSO (Azure and Okta)

Are there generic admin accounts?

No

Describe web services exposed on the internet

We only have the main web portal exposed on the web. Access will be via:

  • https://youragencyname.staffed.it - staffwise
  • https://youragencyname.getwise.io - surveywise

Describe web services exposed on your intranet

Not applicable