Secure Development Process

Storyblok is following the OWASP code review guide to ensure that the enterprise security policy is fulfilled. Storyblok's SDLC (Software Development Lifecycle) uses an agile security methodology which includes following steps:

1. Planning (Identify Security Stakeholder Stories, Identify Security Controls, Identify Security Test Cases)
2. Sprints (Secure Coding, Security Test Cases, Peer Review with Security)
3. Deployment (Security Verification with Penetration Testing and Security Code Review)

Storyblok’s quality assurance follows secure software development best practices, which include formal design reviews by the Storyblok security team, threat modeling, and completion of a risk assessment. Static code analysis tools are run as a part of the standard build process, and all deployed software undergoes recurring penetration testing performed by carefully selected industry experts. Our security risk assessment reviews begin during the design phase and the engagement lasts through launch to ongoing operations.

Storyblok's development environment has security controls in place that make sure that no sensitive data is used. Only authorized developers can access the development environment and the codebase of the applications is protected by two factor authentication. Every change to the codebase must go through a process of security review following the best practises of the OWASP code review guide. Changes are tracked and every authorized developers gets notifications about code changes which ensures control over movement of data. Backups of the codebase are stored at secure offsite locations periodically.

Storyblok's testing standards begin in the coding phase with automated security unit and acceptance tests which are executed as part of our build process for every new feature. The developers of the applications are making sure that third-party libraries and executable files are security assessed for potential vulnerabilities before being integrated in the application build. When going to the QA stage security testers are going to test the features with the information provided by feature scope documents. The testers simulate real attack scenarios that can be potentially executed by a malicious external or internal user of the application. The objective of these tests is to test the application in an operational environment. The target is the application build that is representative of the version of the application being deployed into production. After passing the tests in QA testers document the result of their tests and potential security issues. Storyblok's developers review the documents and approve it if no further security issues have been found.

Storyblok follows the Git Flow standard and doesn’t allow any change to the code that didn’t pass the Git Flow steps.

There are security reviews done by carefully selected security experts. Security reviews are done by developers with at least 10 years of experience of software development and security.

Storyblok follows the OWASP secure coding best practices guidelines V2 which contains a checklist of following topics:

• Input Validation
• Output Encoding
• Authentication and Password Management
• Session Management
• Access Control
• Cryptographic Practices
• Error Handling and Logging
• Data Protection
• Communication Security
• System Configuration
• Database Security
• File Management
• Memory Management
• General Coding Practices

https://www.owasp.org/images/0/08/OWASP_SCP_Quick_Reference_Guide_v2.pdf

Storyblok does quarterly secure coding workshops internally from our most experienced developers and security experts to keep the whole team up to date.

By the infrastructure design access to the live data is not allowed in development and testing environments. Instead a dedicated database is in place.