Secure software development

Sinch takes security seriously: products go through penetration testing and security validation, and we are committed to fixing security vulnerabilities classified as high with a patch or, at the latest, in the next release.

Vulnerabilities classified as medium or low are analyzed by the product development team and fixed in the next release if not decided otherwise.

Product security within Sinch Contact Pro is implemented with Secure Software Development Life Cycle (SSDLC). SSDLC is a framework for developing secure software. It is a set of processes and activities that organizations follow to ensure that their software is developed with security in mind.

The goal of the SSDLC is to identify and mitigate potential security vulnerabilities and threats in the software development process, so that the final product is as secure as possible. The SSDLC typically includes activities such as threat modeling, secure coding practices, security testing, and security reviews. In practice, SSDLC is implemented as a step-by-step process in different software development phases:

  • Planning: Security related requirements are defined in the planning phase. These can emerge from maintenance of the previous release and from assessing the changes in technology.

  • Design: In the design phase, we use threat modeling to assess potential security risks. We also have a library of engineering rulebooks, which define, among others, security related non-functional requirements.

  • Implementation: In the implementation phase, we use code reviews, or a pair-programming practice. We also have automatic security code scans running, and results reviewed, already during implementation. There are two types of security code scans, static security code scans and third party vulnerability scans.

  • Testing: In the testing phase, new release is tested also from security point of view. This includes breaking into the software to find vulnerabilities, scanning the code for potential problems, and making sure the software can handle different security threats.

  • Deployment: We use central build tools to assure repeatable and trackable software builds.

  • Maintenance: In the maintenance phase, we keep an eye on new security threats and update software accordingly. Updates are included in quarterly Sinch Contact Pro releases.