Secure Product Development Lifecycle
Our Security Development Lifecycle (SDL) consists of a set of practices that support security assurance and compliance requirements. The framework helps developers build more secure software by reducing the number and severity of vulnerabilities.
We utilize frameworks for security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.
In addition to automated testing, our QA department reviews and tests our code base. Dedicated application engineers on staff identify, test, and triage security vulnerabilities in code.
Testing and staging environments are separated from the production environment. No actual customer data or vendor data is ever used in the development, staging, or test environments.
Our source code repositories are continuously scanned for security issues via our integrated static analysis tooling.
Our application dependencies are continuously scanned for CVE information and remediated through automated pull requests when fixes are released.
We work hard to help you secure the software supply chain and have been delivering SBOMs alongside every KOTS, kURL, and Troubleshoot release.
3rd Party Tested
Bug Bounty Program
We believe in responsible disclosure and support a community of ethical hackers with HackerOne
Penetration Tested
We contract with expert firms to evaluate the security of our products. Three of our core components are open source and can even check for yourself.
Compliance
Replicated is SOC 2 Type 2 compliant.
You can also download our CSA STAR self assessment.