Secure Software Development Life Cycle (SDLC) Policy

Last Updated: 5/31/2023

Introduction

This document outlines the Heyday Secure Software Development Life Cycle (SDLC) which governs all development made on behalf of the company. Security is a mandatory consideration for both application code and data handling.

Training and Awareness

  • Employee Onboarding will include a walkthrough of this document and associated proceedures
  • Updates to this document will include notifying all developers of the change and new set of requirements

Secure Design

Architecture design will incorporate secure principals for any software that is inteneded to interact with production data.

  • Encryption
    • All data SHALL be encrypted while at rest and during transport
      • This includes any exported or archived data (e.g. DB snapshots)
    • Custom encryption schemes SHALL not be used when standard schemes can be used
  • User Tokens
    • User tokens SHALL be stored exclusively within the Auth0 security tenant

Secure Development

  • Source Code Tracking
    • Github is used to track all changes to the software baseline
  • Issue Tracking
    • We use Linear to track all development issue (security issues included)
    • Issues will use the Priority field to communicate urgency of fix
  • Supply Chain
    • We use dependabot and socket.dev to track vulnerabilities in our dependencies
    • CRITICAL and SEVERE issues will be tracked in Linear and fixed based on their priority and applicablity to our software stack and usage of the dependency
  • Continuous Integration
    • All changes to the software baseline (PRs) must pass all CI checks in order to be mergable (enforced via GitHub)

Secure Testing

  • Static Analysis
    • All code in the Heyday code base will be statically scanned for security issues via Github Security Analysis
    • Any CRITICAL or HIGH issues found during development (analysis of pull requests) should be fixed prior to merging to the main branch
    • Any CRITICAL or HIGH issues found against baseline code with be tracked and fixed based on their priority and applicablity to our software stack and usage
    • Static analysis is run continuously through the continuous integration (CI) platform
  • Pen Testing
    • We use the OWASP ZAP pen testing framework to identify any runtime related security issues
    • Any CRITICAL or HIGH issues found against baseline code with be tracked and fixed based on their priority and applicablity to our software stack and usage
    • The Zap testing will be run quarterly against the Staging environment

Secure Deployment

  • All sensitive secrets SHALL be stored in AWS Secrets Manager
  • All software images SHALL be pulled from the Heyday Image Repository

Operations & Maintenance

  • Developer access to production and staging systems
    • Each developer SHALL generate their own SSH key for access to Heyday systems
    • All access to Heyday systems (including support services) will be revoked when an employee leaves the company
  • Access to support systems that use their own authentication scheme SHALL use 2FA if the system supports it (e.g. Segment, Sentry, LaunchDarkly, etc)

Roles and Responsibilities

  • Every member of the Heyday organization is responsible for incorporating this document in their work
  • The Head of Engineering is responsible for making changes to this document and making sure all developers are aware of those changes

Review and Audits

  • Github history and PRs are used to audit changes to the software baseline
  • Changes to production systems (AWS) will be made using a pairing system to ensure all practices are followed

Questions?

If you have any questions about our privacy practices or this Privacy Policy, please contact us at hello@heyday.xyz or 840 Sansome Street, San Francisco, CA 94111.