Milestone Security Development Lifecycle (SDL)

This document describes the Security Development Lifecycle for Milestone Systems A/S (hereafter referred to as Milestone).

The Security Development Lifecycle (SDL) encompasses a comprehensive set of principles and practices that extend beyond the software-coding activities and pure technical aspects of our products.

Scope

Milestone’s SDL encompasses the broader context of our development processes, and defines the requirements, practices, and procedures, that Milestone employees follow during development of all Milestone software products and services.

In addition to focusing on reducing the attack surface and safeguard against vulnerabilities in Milestone’s software products, the SDL also focuses on compliance with industry standards and regulatory requirements, resulting in safer products, services and systems.

The following sections describe the areas covered by the SDL as illustrated below. 

SDL Implementation

Milestone’s SDL is implemented throughout Milestone's Technology Group, through a continuous process, where everyone initially has received an introduction to and training in the processes and procedures the SDL describes. After the initial introduction and training, the knowledge and application of the SDL is maintained though the following activities:

  • new employees attend internal ‘Milestone Developer Academy’ training, which covers training in Milestone’s development process and tools, training in our SDL and finally XProtect product training.

  • through Milestone’s “security champions” program for the development teams, the ‘Security and Compliance’ team will continuously work with the security champions, to ensure they remain proficient in the processes and procedures described in our SDL.

  • when the SDL is updated to a degree that is deemed to require additional training, the development teams and security champions are informed of the changes and receive training in the changes.

Note: Security champions are team members in each development team that have taken on an additional role to function as an extension to the “Security and Compliance” team. The security champion works as the team’s local security expert and link to the “Security and Compliance” team.

Review process

Milestone reviews this SDL yearly and updates it to follow the latest changes in industry standards, emerging threats, new technologies, and organizational policies.

SDL owner

The Milestone Security Development Lifecycle is owned and maintained by Milestone’s ‘Security & Compliance’ team.