Skip to main content
Skip table of contents

15. Software Development Life Cycle (SDLC) & Application Security

At Thru, we integrate security throughout our Software Development Life Cycle to ensure robust application security.  We use a hybrid approach combining Agile Scrum and OWASP’S SAMM.  We also follow the Secure-by-Design and Secure-by-Default recommendations from the Cybersecurity and Infrastructure Security Agency (CISA).

 15.1      Secure Design

  • Security requirements incorporated from project inception

  • Threat modeling to identify potential vulnerabilities

15.2      Secure Coding Practices

  • Adherence to industry-standard secure coding guidelines and best practices by reviewing OpenCRE’s collected information by the domain being implemented:
                https://zeljkoobrenovic.github.io/opencre-explorer

  • Mainline merges are blocked until the pull request is peer reviewed.

  • Automated static code analysis for software vulnerabilities including third-party dependencies.

15.3      Testing and Validation

  • Automated regression and security testing (Selenium, Playwright, and Zap) integrated into CI/CD pipeline.

  • Regular penetration testing and vulnerability assessments

15.4      Third-Party Component Management

  • Automated regression and security testing (Selenium, Playwright, and Zap) integrated into CI/CD pipeline.

  • Strict vetting of third-party libraries and components

  • Continuous monitoring for known vulnerabilities (registered for product alerts and CVE’s)

15.5      Secure Deployment

  • Hardened production environments using CIS Hardened Images or scripts on Thru custom OS templates.

  • Terraform for automated Configuration as Code deployments of infrastructure.

  • Git Actions and git tagging for reproducible and consistent builds.

  • Octopus deployment for automated deployment and rollback support.

  • Strict change management procedures.

15.6      Ongoing Monitoring and Maintenance

  • Real-time application monitoring for security events

  • Prompt patching and updates to address emerging threats

  • Ansible playbooks for highly scalable audit, configuration, and product management.

15.7      Developer Training

  • Regular security training for development teams

  • Promotion of security-first culture

By embedding security at every stage of our SDLC, we ensure that our Managed File Transfer solution maintains the highest standards of application security, protecting our customers' sensitive data throughout the development, build, and deployment process.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close