Security by Design

Summary: This article describes XMPie’s Secure Software Development Life Cycle (Secure SDLC) principles.

Overview

As context, XMPie maintains a risk-based assessment security program. The Secure Software Development Life Cycle (Secure SDLC) process is one of the cornerstones of XMPie security program.

The framework for XMPie's security program includes administrative, technical, and physical safeguards reasonably designed to protect confidentiality, integrity, and availability.

XMPie's security framework covers Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Security, People Security, Product Security (Secure SDLC), Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, as well as Security Monitoring and Incident Response.

Security is represented at the highest levels of the company, with XMPie's Vice President/General Manager meeting with executive management regularly to discuss issues and coordinate security initiatives. Information security policies and standards are reviewed and approved by Xerox management at least annually and are made available to all XMPie employees for their reference.

Security by Design

The XMPie Software Development Lifecycle (SDL) process is the method by which XMPie creates secure products and defines the activities that the product teams must perform at different stages of development (requirements, design, implementation, and deployment).

XMPie engineers perform numerous security activities for the services including:

• Internal security reviews before products are launched.

• Periodic penetration tests performed by independent security teams.

• Architecture reviews.

• Implementation of Secure Software Development Life Cycle (Secure SDLC). Secure SDLC is a software engineering culture that unifies software development, deployment, security, and operations by performing the following:

  • Static Application Security Testing (SAST) - Analyzes source code to identify vulnerabilities in applications before the applications are compiled or deployed.

  • Dynamic Application Security Testing (DAST) - Identifies vulnerabilities and applications in (web) applications while they are running.

  • Software Composition Analysis (SCA) - Set of tools and practices that enables identification and management of third-party and open-source components in software applications that helps identify and mitigate security vulnerabilities in these components. SCA also uncovers licensing issues of the components.

XMPie is a Xerox company. Therefore, the Xerox policies and procedures apply to XMPie.

Read more about Xerox compliance in the following pages:

• https://www.xerox.com/en-us/about/security-compliance

• https://trust.corp.xerox.com/

 

Created by: Nahum Cohen on February 2024