Legal
QNAP Secure Software Development Lifecycle
Revised on July 26, 2024
Our company is committed to providing secure and reliable cloud services. We have established and implemented a comprehensive security development process, strictly adhering to the best security practices to ensure that our systems and applications meet the highest security standards at every stage of the development lifecycle.
1. Development Environment Security
We take multi-layered protection measures to ensure the security of our development environment, including:
- Physical and boundary security controls
- Strict identity access management
- Antivirus and intrusion detection systems
- Security audits and monitoring mechanisms
2. Software Development Lifecycle Security
We integrate security considerations throughout our software development lifecycle:
- Secure Development Methods
By adopting the principle of Security by Design, we incorporate risk assessment and threat modeling analyses starting from requirements gathering through architectural design and code implementation. - Secure Coding Standards
We provide detailed secure coding guidelines for various programming languages to help our developers avoid common security vulnerabilities.
3. Security Requirements in the Design Phase
System and application functions must pass rigorous security reviews at the design phase, including requirements for data protection, authentication, access control, and encryption implementation.
4. Security Checkpoints in the Development Lifecycle
We conduct security reviews at key development points. Our security review methods include:
- Threat model verification
- Static application security testing (SAST)
- Dynamic application security testing (DAST)
- Penetration testing
5. Development Data Protection
Confidential data and source code generated during the development process are protected by strict access controls and encryption.
6. Version Control Security
All code changes are tracked through a secure version control system to prevent unauthorized modifications.
7. Application Security Training
We provide application security training for our developers, familiarizing them with various security threats and best protection practices for web, cloud, and mobile applications.
8. Vulnerability Management Capability
- We proactively discover and patch potential security vulnerabilities through automated tools and manual scans, continuously enhancing this capability.
- We have an established process for managing vulnerability information about our products, including channels and procedures for receiving, investigating, coordinating, and reporting vulnerability information. We respond to zero-day vulnerabilities within 24 hours and publish vulnerability notifications via QNAP Security Advisories.
9. Dedicated Security Team
QNAP has established a Product Security Incident Response Team (PSIRT) to fully coordinate and formulate product security responses. QNAP PSIRT ensures swift communication and remediation with all relevant parties through a comprehensive four-step process, with complete transparency of information.
10. Information Transparency
QNAP is a participant in the MITRE CVE Numbering Authority program, collaborating securely with third-party security researchers to discover and fix previously unknown security vulnerabilities, maintaining transparency and trust with relevant parties.
11. Participation in the Information Security Community
Through the Security Bounty Program, QNAP closely cooperates with the information security community to enhance the security of our products.
Conclusion
We recognize the importance of secure software development and will continue to review and improve our development processes and practices, striving to provide customers with the most secure and reliable cloud services.
