Atlassian announces end of life for OpsGenie. Looking to switch? We're here to help -- Learn More ➡️
Menu

Secure Development Policy

1. Introduction

PagerTree is committed to delivering secure, reliable software to our customers. Security is integrated throughout the software development lifecycle (SDLC), ensuring that applications are designed, built, tested, and maintained in accordance with modern security best practices.

This Secure Development Policy outlines PagerTree’s approach to developing and maintaining secure software and reducing the risk of security vulnerabilities in our products and services.

2. Scope

This policy applies to:

  • All software, systems, and services developed or maintained by PagerTree
  • All employees, contractors, and third parties involved in software development, testing, and deployment
  • All environments supporting application development (development, staging, and production)

3. Secure Development Practices

3.1 Security by Design

PagerTree incorporates security from the earliest stages of development, including:

  • Threat modeling and risk assessment for new features and architecture changes
  • Design reviews that include security considerations
  • Use of industry-standard secure design principles such as least privilege, defense in depth, and secure defaults

3.2 Coding Standards

Developers follow secure coding practices based on established industry frameworks, including:

  • OWASP Top 10
  • OWASP API Security Top 10
  • Secure coding best practices for applicable languages and frameworks

PagerTree actively discourages the use of deprecated libraries or insecure patterns.

3.3 Code Review Requirements

All code changes must undergo peer review before deployment. Reviews include:

  • Security and logic validation
  • Verification of input validation, access control, and proper error handling
  • Ensuring secrets are not stored in source code or repositories
  • Validation against PagerTree’s secure coding standards

No code may be merged without successful review.

3.4 Secrets Management

PagerTree enforces secure handling of credentials, tokens, and secrets:

  • Secrets are never committed to source control
  • Approved secret management tools or platform-managed secrets are required
  • Automatic key rotation is used where technically feasible
  • Access to secrets is restricted based on least privilege principles

4. Testing and Quality Assurance

4.1 Automated Security Scanning

PagerTree integrates automated security scanning into CI/CD processes, including:

  • Static Application Security Testing (SAST)
  • Software Composition Analysis (SCA) for third-party dependencies
  • Dependency vulnerability checks and alerts

Security issues are triaged and remediated according to severity.

4.2 Manual Security Testing

In addition to automated testing:

  • Developers and QA teams conduct functional and security tests for new features
  • Critical areas (authentication, authorization, session handling, etc.) receive additional scrutiny
  • Penetration testing is performed periodically by qualified internal or external resources

4.3 Secure Release Management

Software is not deployed unless:

  • All required reviews and security checks are complete
  • Automated security scans pass
  • Vulnerabilities are addressed or formally risk-accepted following review

5. Third-Party Components

PagerTree relies on trusted third-party frameworks and open-source libraries when appropriate. To reduce supply chain risk:

  • All dependencies are reviewed and scanned for known vulnerabilities
  • Updates and patches are applied regularly
  • High-risk or unmaintained components are avoided or replaced

6. Change Management

Changes to code, infrastructure, or production systems follow PagerTree’s formal change management processes, which include:

  • Documentation of the change
  • Risk assessment
  • Testing and validation
  • Approval from authorized personnel
  • Audit logging of deployments

7. Vulnerability Management

PagerTree maintains processes to identify, track, prioritize, and remediate security vulnerabilities in our software:

  • Vulnerabilities are assigned a severity based on industry scoring systems (e.g., CVSS)
  • High and critical vulnerabilities are remediated promptly
  • PagerTree maintains a coordinated disclosure process for reporting security issues
  • Security patches are deployed promptly following appropriate testing

8. Developer Training

All developers and engineers receive recurring training on:

  • Secure coding practices
  • OWASP and common vulnerability classes
  • Authentication and access control principles
  • Secure handling of data and secrets
  • New and emerging security threats

Specialized training is provided for team members with elevated security responsibilities.

9. Enforcement

Compliance with this Secure Development Policy is mandatory. Violations may result in:

  • Revocation of development or production access
  • Disciplinary action
  • Contract termination for third parties or contractors

10. Review and Maintenance

This policy is reviewed at least annually or whenever significant changes occur in development practices, threat landscape, compliance requirements, or PagerTree’s technology stack. Revisions require approval from Executive Management.

For questions regarding this Secure Development Policy or PagerTree’s security practices, please contact security@pagertree.com.