Security is built into every stage of how we develop, test, and deploy software. Ambassify follows a Secure Development Lifecycle (SDLC) to ensure that security is never an afterthought. From design through deployment, every change is reviewed, tested, and approved before it reaches production.

Secure Development Lifecycle (SDLC)

Security is integrated throughout the entire Secure Development Lifecycle (SDLC), from initial design to deployment and beyond.

  • Secure-by-Design: We apply secure-by-design principles from the start of every project.
  • Minimize Attack Surface: Features are scoped to expose only what is necessary, reducing potential entry points.
  • Secure Defaults: Systems ship with secure default configurations. Users do not need to take extra steps to be protected.
  • Least Privilege: Applications and services run with the minimum permissions required.
  • Defense in Depth: Multiple layers of security controls protect against failure of any single measure.
  • Fail Securely: When errors occur, systems default to a secure state rather than exposing data or functionality.

Code Review

Every change to our codebase is independently reviewed before it reaches production.

  • Peer Review Required: All code changes must be reviewed and approved by at least one other developer before deployment.
  • Independent Approval: No single individual can develop, test, and deploy a change without independent sign-off.
  • Automated Scanning: Automated code scanning runs prior to deployment to catch common vulnerabilities early.

Change Management

Production changes follow a structured process to prevent unintended impact.

  • Formal Process: All production changes go through a formal change management process.
  • Pre-Release Testing: Changes are tested and approved in a non-production environment before release.
  • Emergency Changes: Urgent changes are documented and reviewed after the fact to maintain accountability.

Security Testing

Continuous and periodic testing validates the security of our platform.

  • Pipeline Integration: Security testing is integrated directly into the development pipeline and runs with every change.
  • Annual Penetration Test: An independent external security firm conducts a penetration test at least once per year.
  • Published Results: A summary of our latest security audit is available in our security audit overview.

Privacy by Design

Privacy considerations are part of the development process from day one.

  • Embedded Principles: Privacy principles are factored into every feature from the design phase onward.
  • Data Minimization: We collect and process only the data necessary for the intended purpose.
  • No Production Data in Testing: Production data is never used in development or testing environments. Only anonymized or synthetic test data is used.

Developer Training

Our development team stays current on evolving threats and best practices.

  • Annual Training: All developers complete security training at least once per year.
  • OWASP Coverage: Training covers the OWASP Top 10, including injection attacks, cross-site scripting (XSS), cross-site request forgery (CSRF), and secure session management.

Version Control

Source code is managed with care to prevent unauthorized changes.

  • Centralized Version Control: All source code is stored and managed in version control systems.
  • Restricted Access: Repository access is restricted based on role and project involvement.