Secure Software Development Lifecycle (SSDLC)
This page showcases the implementation of the Secure Software Development Lifecycle - (SSDLC) (opens in a new tab) in BeamFi to ensure the security and integrity of the developed software. The following sections provide proof of the company's adherence to SSDLC best practices and methodologies.
All developers at BeamFi receive comprehensive training on secure coding practices, security principles, and common vulnerabilities. The training material is updated regularly, and developers attend annual refreshers to stay up-to-date with the latest security advancements.
Each pull request is subjected to an automated security scan, identifying potential vulnerabilities at the early stages of development. This is achieved by integrating tools like Snyk with our GitHub repositories to automatically scan the codebase.
The application leverages blockchain technology and smart contracts to ensure data security and user permission checks. The smart contracts are encrypted end-to-end with strong cryptography, making unauthorized access nearly impossible.
Our SSDLC process includes automated testing for common smart contract vulnerabilities such as reentrancy vulnerability to analyze smart contract code for potential weaknesses and ensure that they are addressed before deployment.
As part of the code review process, developers conduct peer security reviews to identify potential security issues and share knowledge on secure coding practices. This collaborative approach helps improve the overall security of the application.
Security is an integral part of every stage of the software development process at BeamFi. This includes initial planning, architecture design, analysis, development, testing and verification, continuous integration and delivery, maintenance, and evolution.
During the requirement phase, access control is designed to ensure that users can only access their own data, effectively preventing unauthorized data access.
In the development phase, SAST tools are integrated with Github continuous integration pipelines to automatically scan both frontend and backend code. This includes validation of user inputs, sanitization of data sent back to users, and continuous vulnerability checks in open-source libraries.
The verification phase includes automated unit tests to ensure the correctness of the application and its critical paths. Secret tokens, such as Zoom SDK IDs and secret keys, are stored securely in encrypted form using GitHub Secrets and are never included in the source code.
During the maintenance phase, the company stays up-to-date with the latest trends and news on application security, acting on newly discovered or reported security issues. This includes a proper internal security patching process and, if necessary, temporarily pausing backend smart contracts to protect users. External penetration testing is conducted by EthicalCheck, and our own API health check monitoring agents are deployed to continuously monitor the application and system.
BeamFi follows OWASP best practices throughout the development process, ensuring a secure and robust application. For instance, use of
node-esapi library in webapp frontend.
BeamFi adopts Web Crypto API for client-side end-to-end secure communication of client's data between our system including Zoom meeting ID and password. It makes use of an industry standard strong AES-GCM 256 bits key to provide the maximum user protection in encryption and decryption.
A triage approach is adopted to address and track security issues, ensuring that they are resolved before going into production. This helps prioritize security concerns and maintain a secure development environment.
BeamFi is committed to implementing a Secure Software Development Lifecycle (SSDLC) to guarantee the security and integrity of its software products. This document demonstrates the company's dedication to security and its ongoing efforts to maintain a secure development environment.