Secure implementation

Secure implementation is not a one-time task. It’s a mindset. This mindset runs through every stage of Milestone’s development process. It means that Milestone’s development teams proactively work on identifying and addressing security vulnerabilities, follow best practices, and adhere to established guidelines to ensure the resilience of Milestone’s products – both in terms of software and hardware products.

The following guidelines cover requirements for secure implementation. The guidelines include security coding best practices, security code review, static and dynamic code analysis, and security policies for third-party components. By adhering to these guidelines, Milestone’s developers reduce the risk of security vulnerabilities, ensure safeguard of user data, and uphold Milestone’s commitment to be a trusted and reliability vendor.

Security coding best practices

Milestone has defined a Security Coding Best Practices standard, which defines the practices and rules all Milestone developers are trained to and must follow during development of our software products.

The Security Coding Best Practices govern the way Milestone’s code must be written, reviewed, and maintained to ensure our products remains resilient against security threats. The standard address areas with potential vulnerabilities and guide developers in crafting robust software to face cybersecurity challenges.

While the Security Coding Best Practices standard provides practices and rules that, by default, must be followed, Milestone recognize that certain products, features or tools might have unique requirements and/or priorities. In these special cases, additional documentation defining the practices used for the special case must be created and approved by the Milestone’s Security and Compliance Team.

Security code review

Security code review is an essential part of Milestone’s development process. Its purpose is to identify potential vulnerabilities and security weaknesses in the software’s source code, to validate adherence to our Security Coding Best Practice standard, to ensure that the implementation aligns with the secure coding requirements, and to enhance the overall security posture of our software.

To ensure consistent code review, Milestone has defined a set of Security Code Review Guidelines which reviewers must follow when they perform code reviews.

Static code analysis

The purpose of static code analysis is to automatically analyze the source code for potential vulnerabilities, bugs, and adherence to defined coding standards. Milestone incorporates static code analysis in our software development process to proactively identify issues early in the development process. This ensures that new issues are detected and fixed before they reach our customers in a product release.

When a warning over the defined threshold is found, it is fixed with a traceable solution. The solution can either be changes to the code or if the warning is a false-positive, it can be muted. In case the warning is muted the development teams responsible for the code must document why this warning is a false-positive.

Third-party components

Third-party components include libraries, frameworks, plugins, and other external software used in Milestone’s software to provide functionality, security features, and enhance efficiency.

Integrating existing third-party components can significantly increase speed of development and add features and security functionality that adheres to approved standards to the Milestone software products and services. However, when using third-party components, it’s crucial to be aware of the potential security risks associated with using these components, because they can have significant impact on the overall security of Milestone’s software.

To ensure third-party components adhere to Milestone’s security requirements and standards, a security assessment will be performed for every third-party component Milestone intends to use. The security assessment aims to identify known vulnerabilities, security history, and the responsiveness of the vendor to security issues.

Approved and verified third-party components that are allowed to be used in Milestone’s products and services are stored in a Milestone-controlled repository. Milestone will monitor the allowed third-party components for updates and security patches to ensure the latest secure version are used.

Milestone regularly scans Milestone’s application and its dependencies, including the third-party components used, for known vulnerabilities using appropriate security tools.

The penetration testing Milestone regularly performs on our products and services also covers functionality introduced by third-party components to identify potential vulnerabilities introduced by the third-party components.

Milestone will produce a SBOM report in a standard format covering all used third-party dependencies for every software version released.