The engineering teams, and others involved with software development at Starburst, implement the following best practices:
These processes are in place to ensure quality and identify security vulnerabilities prior to releasing code to customers and into production environments.
Tests may include functionality, compatibility, UI consistency, performance, security, integration, and regression tests as applicable for a particular change.
Annual penetration tests are conducted by Starburst. Upon request, customers may obtain executive summaries of these tests.
Starburst continuously monitors cloud environments for system vulnerabilities in accordance with formally documented vulnerability management processes and procedures.
Starburst utilizes Veracode to conduct regular static code scanning and library security reviews. Veracode is an industry leader for application security and the platform allows for efficient vulnerability reporting and management.
The platform produces software composition analysis (SCA) and static application security testing (SAST) reports. The reports are reviewed, and identified vulnerabilities are addressed based upon CVE level. Critical risk and high risk vulnerabilities are prioritized for remediation. Each reported vulnerability is verified to be valid and applicable, or a false positive. This analysis includes assessing the code paths, library usage and other aspects. The results of all these analysis tasks are tracked for reference and further analysis as necessary.False positives are configured to be not reported again.
For true positives, the development process includes addressing and remediating any legitimate critical or high level findings. Medium, low and informational vulnerabilities are reviewed and placed into the backlog and scheduled for future sprints, if legitimate, exploitable risk is identified.
Upon your request, Starburst can provide an executive summary of the reports. The reports may be provided once per quarter.
You may conduct your own vulnerability and code scans. Starburst can be notified of any findings.
Is the information on this page helpful?