Software security
Preventing security incidents and mitigating the risk of security breaches is a foremost priority in Diri AS. We are contiuously working to improve our software security.
Secure coding practices
Developers follow secure coding practices such as avoiding input validation issues, preventing injection attacks, and properly handling errors and exceptions.
Regular vulnerability testing
We regularly test software applications for vulnerabilities, such as those identified by the Open Web Application Security Project (OWASP). The in-application security is enforced with a web application firewall that enforces the OWASP best practice rule set.
Code reviews
Diri AS conducts regular code reviews to identify potential security issues and provide feedback to developers.
Secure configuration and attack surface management
Diri AS ensures that all software components, including web servers and databases, are securely configured to minimize the risk of exploitation. Our SaaS-infrastructure is continuously monitored using vulnerability scanning.
Secure deployment, updates, and patching
Follow secure deployment practices, such as implementing secure communication protocols, limiting access to deployment infrastructure, and properly securing secrets.
Regular updates and patching
Regularly update software and apply security patches to ensure that vulnerabilities are addressed in a timely manner. Patch notifactions are sent to active users no later than one week before major changes. Minor updates and bugfixes are deployed continuously with patch notes published in our community portal.
Pre-deployment
checks
Before deploying a new version of the application, Diri AS ensures that all pre-deployment checks
have been completed, such as rigorous code testing, verifying that the environment is correctly
configured and all necessary dependencies are installed. Diri AS has processes and tooling for both automated and manual software testing.
The test environment is primarily in use for the developers. The staging environment is used for further testing and verification that
the application is functioning correctly and there are no issues with the
deployment. Once the application has been verified in the staging environment, we conduct user acceptance testing to ensure that it meets the needs of users.
Post-deployment checks
After deployment, it's important to conduct functionality testing to ensure that the application is working as expected. This may include verifying that all features are functioning correctly and that users are able to access the application and its various functions.
Security testing: Diri AS conducts security testing and monitoring to ensure that the application is secure and that there are no vulnerabilities that could be exploited by attackers.
Performance testing: Diri AS montitors and conducts performance testing to ensure that the application is able to handle the expected load and that it is running efficiently. This includes load testing, stress testing, and other performance assessments. The Diri application runs a scalabale infrastructure and more resources can be added as needed.
Logging and monitoring
Diri AS logs and monitors the application to detect and respond to security incidents in a timely manner.
Incident management
Diri AS is a small company with a dedicated software development team. In the event of an incident, this team functions as an incident response team lead by the CTO or the CEO to ensure that any security incidents or other issues with their SaaS application are identified and resolved as quickly and effectively as possible. The policy includes procedures for detecting and reporting incidents, as well as for responding to and resolving them. In the event of an incident, Diri AS's incident management team will work to contain the issue, investigate the root cause, and take steps to prevent similar incidents from occurring in the future. The policy also includes provisions for communication with stakeholders, including customers and regulatory authorities, in the event of a significant incident. By following this policy, Diri AS can minimize the impact of incidents on their SaaS application and maintain the trust of their customers.