Last Updated: 6.30.2022
All code is securely save on GitLab
Validating all the inputs before accepting them to maintain data integrity.
HTML encoding the user inputs to avoid XSS attacks (leveraging the underlying web framework tools)
Achieve zero code warnings
Segregating configuration/secrets/passwords per environment
Securely saving secret information on Azure Key Vault with restricted access
Secret access only through Manged Identities (a password less means to access Key Vault)
No secrets are cached in raw format in the application. We use data protection technique to encrypt/decrypt secrets when necessary. Data protection is done with an RSA key of size 2048
Using authorization access policies to restrict/allow access to resources
Azure resource access is restricted by using Role Based Access Control (RBAC)
Any new code merged must be added via pull request
At least one other developer must code review and approve before the merge
Only a limited subset of employees act as administrators
Sandbox environment: Isolated testing environment that closely mimics the production with redacted values is used for testing
Using Staging slots during deployment to reduce the downtime
Approval is required for the deployment to higher environments
Azure Deployment pipeline is used for code deployments with a restricted number of users having access to it
Secrets/passwords management is automated where ever required
PAAS services are used to reduce the security risk of not applying emergency patches on time (taken care by Azure)
All the external packages are thoroughly verified before using
Planning on using static tools like CodeSonar to verify the code and external packages for known risks
The user data is organized by Tenant ID and all the queries include the Tenant ID by default with our custom framework without relying on the developer to include that in queries
The survey videos are all saved in separate container for each tenant
