DevSecOps integrates security practices into all stages of our software development cycle, moving away from the traditional model where security is a final step. This ‘shift-left’ approach ensures that security is a core part of the development process, not an afterthought. By embedding security early in the cycle, it reduces the risk of vulnerabilities and streamlines the development process. DevSecOps involves continuous security monitoring and automated checks within our CI/CD pipelines, making security a shared responsibility among all team members. This approach is crucial for delivering secure, robust software efficiently, aligning with our commitment to high-quality software development.

👍 Best practices

• All services are designed so that they can be operated without seeing our customers’ data.
• Applications can only access the data and resources necessary for operation, following the principle of least privilege.
• Every access to the production environment (regardless of which layer) is audited, and a session recording of all actions performed is available.
• We never store credentials or secrets in plain text. Using Vault is mandatory to keep them safe and set up automatic rotation whenever feasible.
• Follow Issue lifecycle at Productboard to promptly address issues and keep our customers informed.