We are committed to protecting the data of our customers, which is why we have put in place a range of governance procedures to secure information across our technology delivery lifecycles.
We use a variety of techniques and tools to secure applications and systems created from source code. These include:
We use Source Control systems to preserve a main single copy of application code alongside complete change history.
We follow defined processes for creation of new code features. These are first defined as requirements and later created in “branches”, segregated from the main application code and merged once ready for inclusion in the target application.
We leverage a range of testing automation tools to ensure that we can verify the expected behaviour of application features, including unit tests, integration tests, and mock frameworks. We leverage manual exploratory testing to catch issues that our Quality Assurance processes might not.
We integrate source code analysis tools early in our development lifecycle, ensuring that all code follows best-practises and/or defined conventions. This makes the code of our applications comprehensible and easy to review by any member of our development teams.
Many of these tools also detect use of potentially insecure language or framework features, and will fail build processes when detected.
We ensure documentation is created to an internal standard as part of our build processes. The expected functionality of all code is properly described, and forced to follow standard documentation conventions. Where possible we force build failures where these standards are not met.
We hold team meetings to review source code, encouraging open and honest feedback. This helps develop DevSecOps awareness across our delivery teams.
Build and packaging automation
We create software artefacts for deployment using automated build, test, and packaging processes. This ensures repeatability, agility, and results in test-verified, centralised artefacts ready for deployment. This is a key part of an end-to-end deployment toolchain that has no user interventions which could interfere with the deployed artefacts.
We deploy applications and services from trusted artefacts using automated processes. This minimises user access to target environments.
Automated deployment processes deploy applications through a sequential set of environments as part of Quality Assurance activities. Different types of testing are carried out in these different environments.
Where our testing processes are highly mature we practise continuous deployment.
We monitor our applications through a range of tools to better understand user behaviour, detect failure, and optimise performance. Logs are reviewed daily, with alerts configured for events which may require additional investigation.
We conduct regular security reviews to detect new vulnerabilities either in our applications or the middleware and operating systems which support them.
Updates and patches
Systems are regularly maintained and patched, either by virtue of using cloud technologies (Platform- or Functions-as-a-Service) or using vendor update mechanisms.
The principles described above are applied to our use of third-party systems and tooling as appropriate.
Our Digital Platform is hosted in UK data centers (both compute capability and storage systems).
Data stored by the Digital Platform is encrypted both at rest and in transit.
Please refer to our published Terms and Conditions or specific contract provisions for further details of how we protect your data.