Software development and security practices #

Development methodology #

The engineering teams, and others involved with software development at Starburst, implement the following best practices:

  • Fine grained project management for each feature and bug fix.
  • Enforced peer reviews for any changes. Two or more reviewers are activated for more sensitive or complex changes.
  • Required automated and manual testing.
  • Automated code and dependency scanning for security vulnerabilities.
  • Automated release processes.
  • User documentation as part of feature delivery.
  • Minimized attack surface by reduction of software components included in archives, machine images, and containers.

These processes are in place to ensure quality and identify security vulnerabilities prior to releasing code to customers and into production environments.

Tests may include functionality, compatibility, UI consistency, performance, security, integration, and regression tests as applicable for a particular change.

Penetration tests #

Annual penetration tests are conducted by Starburst. Upon request, customers may obtain executive summaries of these tests.

Security and vulnerability management processes #

Starburst continuously monitors cloud environments for system vulnerabilities in accordance with formally documented vulnerability management processes and procedures.

Starburst utilizes Veracode to conduct regular static code scanning and library security reviews. Veracode is an industry leader for application security and the platform allows for efficient vulnerability reporting and management.

The platform produces software composition analysis (SCA) and static application security testing (SAST) reports. The reports are reviewed, and identified vulnerabilities are addressed based upon CVE level. Critical risk and high risk vulnerabilities are prioritized for remediation. Each reported vulnerability is verified to be valid and applicable, or a false positive. This analysis includes assessing the code paths, library usage and other aspects. The results of all these analysis tasks are tracked for reference and further analysis as necessary.False positives are configured to be not reported again.

For true positives, the development process includes addressing and remediating any legitimate critical or high level findings. Medium, low and informational vulnerabilities are reviewed and placed into the backlog and scheduled for future sprints, if legitimate, exploitable risk is identified.

Upon your request, Starburst can provide an executive summary of the reports. The reports may be provided once per quarter.

You may conduct your own vulnerability and code scans. Starburst can be notified of any findings. Starburst only addresses and remediates vulnerabilities as identified by the Starburst Veracode instance.