Mycommittee Security and Privacy
As organizations worldwide increasingly rely on cloud applications and services to run their business and operations, it's becoming more and more important and necessary for software providers to incorporate security in all stages of their product lifecycle.
Considering the risks associated with security incidents, the increasing complex regulations and the always changing requirements and potential security threats, organizations need to have a solid set of security practices to assure delivery of high quality and secure applications.
At mycommittee, the security of your data and the protection of the privacy of your members using our application is our number one priority. Starting with the design of a feature or bug fix through development and testing and up to deployment and monitoring, mycommittee employs a set of security methodologies and principles to make sure we deliver and maintain the highest possible standard in software quality and data/privacy protection.
Security is not a one time effort but encompasses every phase of the product from development to operations on an ongoing basis.
Mycommittee' s goal is to make sure our application meets all our customers security requirements while providing the most cost-effective ownership experience. To help with this, mycommittee has a number of security practices that are an integral part of our day-to-day development and operating processes.
Mycommittee developers are security trained and familiar with secure coding standards. These coding standards are a roadmap and guide for developers to help them avoid common code mistakes.
Our secure coding standards are not static but evolve over time to address new insights and lessons learned, new security threats discovered, new requirements from mycommittee customers, etc.
Analysis and testing
Functional security testing is executed as part of the normal product testing cycle. It tests the security features against the functional specifications as defined during the design and review processes.
Static Code Analysis is built right into the development environment and runs continuously during development. The purpose of the code analysis is to scan the code to find potential security issues that would not be easily detected with functional or dynamic security testing.
Dynamic security testing is performed regularly and at least once for each major release. Testing, to find various security issues is performed on the running application via the user interface and using various automated and manual security testing tools.
In almost all software applications, regardless whether they are installed locally or running in the Cloud, 'Security' and 'Usability' are often conflicting terms. In many cases, increasing one will decrease the other.
Most security defense mechanisms implemented by mycommittee are fixed and cannot be modified or disabled by the customer but there are some security related settings that can be tweaked depending on the customer needs.
Any security related feature in mycommittee that can be customized, will come out-of-the-box with the 'secure by default' setting enabled. Customers can then, depending on their requirements, domain, etc. decide to accept certain risks in order to provide more flexibility for their users.
External Security Evaluations
At regular intervals, mycommittee is tested for security vulnerabilities by an independent third party organization specialized in cloud application security testing. Security evaluations can lead to identification of vulnerabilities and subsequent improvements in overall design and implementation.
These external evaluations also provide us and our customers with an extra level of confidence.
Security issues are prioritized based on the Common Vulnerability Scoring System (CVSS). Mycommittee has adopted Version 3.0 of the CVSS Standard.
Newly reported security vulnerabilities are reviewed and scored as soon as possible. Based on the potential risk, security vulnerabilities with a high score will be fixed first.
In order to prevent undue risks to our customers, mycommittee will not provide additional information about the specifics of vulnerabilities beyond what is provided in the mycommittee announcements, help and FAQ documents.
Mycommittee does not provide advanced notice to individual customers.
Please use the mycommittee support area to submit a request or send an email to firstname.lastname@example.org for any security issue you believe you have discovered.
Our security team will review and evaluate each request and provide an update as soon as possible.
We appreciate all reported security issues by customers as well as independent security researchers and value your discretion during the time we are implementing a fix.