Please find how Cryptify Call meet NCSC’s Product Development Principles
1. Design for user need
Cryptify actively follows the latest technical development in the field of telecommunication and software development. Furthermore, the Sales & Marketing unit is responsible for collecting customer requirements including requests for product enhancements. New requirements and enhancements are presented to at the weekly Product Strategy Meeting. Before a new feature is implemented a thorough investigation is carried out, including security impact and usability.
All features and characteristic of the system are described in the Requirement Specification managed by the Product Management team. All requirements in the Requirements Specification are verified as part of the Quality Assurance carried out prior to a product release.
2. Enable your developers
Cryptify use a certified development process where approved development tools are carefully balanced to empower designers with the best possible development capabilities whilst safeguarding risk for compromise and providing a homogeneous development environment across the company.
Employees are trained in both the development environment and Cryptify’s coding standards. Compliance with coding standard is validated as part of the peer/code review process.
3. Manage your supply chain risk
When using 3PP software Cryptify always ensure compliance with applicable license terms to respects third party intellectual property rights.
Cryptify’s policy for the use of Third Party Products (3PP) including free and open source software (FOSS), covers:
- Supplier vetting
- License terms
- Security assessment
- Through-life aspects (support structure, update cycles, quality assurance, ..)
- Process to detect publicly known security vulnerabilities
4. Secure your development environment
Cryptify’s IT environment consist of three separate networks
- Protected network: Servers containing source code and commercial documents are located on Cryptiy’s protected network, which is physically isolated from Internet.
- Internal network: Access to Internet through a firewall. No external connections, e.g. VPN access, are allowed.
- Guest network: Separated from the internal network.
Business services, e.g. email, are located physically separate from the development environment.
Cryptify’s policy for IT asset management including access control covers:
- Access control
- Server room
- Safe & Vault
- Data management policy
- Password policy
- Storage policy
- Backup and restore
- Disaster recovery plan (verified monthly)
5. Review and test frequently
The Quality Assurance regime include:
- Self testing
- All code is thoroughly tested using design tests.
- Where possible design tests are automated and part of daily routines.
- Test suites are expanded continuously as functionality grows and faults are corrected to ensure legacy functionality and corrections are intact
- Peer review
- All code is reviewed by peers prior to release
- Verification
- Functional and characteristics testing of all requirements listed in the Requirement Specification.
Furthermore, a Root Cause Analysis (RCA) is carried out on any fault classified as Critical, i.e. causing severe loss of communications or a security breach. Such RCA covers both procedural flaws as well as technical, and suggested measures to be taken to mitigate such flaws in future work.
6. Manage change effectively
All software components and product artefacts, e.g. manuals, are uniquely identified and version controlled. Released versions can be completely recreated at a later date.
7. Build for through-life
Cryptify offers a comprehensive product maintenance support service to its customer, including:
- Technical support
- On-site support
- Flaw remediation
- Product enhancements
New updates are published in applicable software store, e.g. Apple AppStore for iOS and Google Play Store for Android, enabling easy and secure delivery of software to the end users. New updates are announced on the news letter, news@cryptify.se.
Customer Product Information (CPI) are published on the cryptify.com website enabling customers easy access of relevant information to operate the system securely. Additionally, tutorials and manuals are embedded into the apps.