...
This policy applies in addition to the Privacy policy.Until end of 2021 we will implement https://owaspsamm.org/model/verification/security-testing/ maturity level 1 and the Service level agreement.
Protection of our own infrastructure (PCs, laptops etc.)
...
All our apps will undergo a static code analysis with the focus on security. For our open source apps we will use Coverity. Static code analysis is applicable for all new releases starting 2020-08-18.
Dependency checks
The source code of all apps is hosted in Bitbucket. There we use the Snyk plugin to scan for vulnerabilities of dependencies. Vulnerabilities in dependencies will be fixed as soon as an update of the dependency is available (under the condition that the new dependency is still compatible with our app).
Penetration tests
We currently do not perform penetration tests. The main reason is that the attack vectors are well known and now sufficiently controlled by the design guidelines.
...
The timelines to fix security related issues is outline in the Service level agreement. It is our target to fix found issues as fast and efficient as possible.
...