Application Security

1. Secure Development Lifecycle

Security requirements: defined at the start of every project so security is built in from day one.
Threat modelling: we perform threat modelling to identify risks before code is written.
Secure coding standards: our developers follow OWASP secure-coding guidelines.
Security champions: each team has a champion who drives security practices.

Peer code reviews: all code changes undergo mandatory peer review with a security lens.
Static Application Security Testing (SAST): automated tools scan source code for common vulnerabilities.
Dynamic Application Security Testing (DAST): running applications are tested for vulnerabilities via automated scanning.
Software Composition Analysis (SCA): third-party libraries are scanned for known vulnerabilities and updated promptly.

Injection prevention: parameterised queries and input validation prevent SQL, command, and other injection attacks.
Authentication & session security: secure password storage, session handling, and MFA protect accounts.
Sensitive data protection: sensitive data is encrypted at rest and in transit.
XXE prevention: XML parsers are configured to disable external entity processing.
Access control: role-based access control (RBAC) ensures users can only access authorised resources.
Configuration hygiene: automated configuration management reduces misconfiguration.
XSS prevention: output encoding, Content Security Policy (CSP), and input sanitisation guard against XSS.
Insecure deserialisation prevention: we validate and sanitise serialised data before processing.
Component vulnerability management: regular dependency updates and scanning.
Logging & monitoring: security-relevant events are logged for detection and response.

Authentication: API endpoints require proper authentication (OAuth 2.0 / JWT).
Rate limiting: protects against abuse and denial-of-service.
Input validation: strict validation is enforced at the boundary.
Versioning: proper versioning allows insecure endpoints to be deprecated safely.
Documentation: clear internal documentation helps developers use APIs securely.

Secure data storage: sensitive data uses platform-native secure storage (Keychain on iOS, Keystore on Android).
Certificate pinning: TLS certificate pinning mitigates man-in-the-middle attacks.
Code hardening: release builds are minified and obfuscated to make reverse engineering harder.
Biometric authentication: Face ID / Touch ID / fingerprint is supported where available.
Tamper detection: the app performs integrity checks on untrusted (jailbroken / rooted) devices.

Secure session tokens: tokens are cryptographically random and sufficiently long.
Session timeout: sessions expire after inactivity.
Session invalidation: sessions are invalidated on logout and password change.
Device list: users can view and terminate active sessions.

Penetration testing: we engage independent firms for periodic penetration tests.
Vulnerability assessments: automated scans identify weaknesses before they can be exploited.
Red team exercises: simulated attacks exercise our detection and response.
Responsible disclosure: our programme invites researchers to report vulnerabilities.

Infrastructure as code: reproducible, version-controlled configuration.
Immutable infrastructure: servers are replaced rather than modified.
Secrets management: credentials live in secure vaults, never in source code.
Container security: container images are scanned and kept patched.