Skip to content

Secure Software Development Lifecycle Policy

Classification: Internal
Document status: Effective
Version: 1.0
Owner: Management / Security Owner
Effective date: 2026-05-13
Review cycle: Annual; interim revision upon material change to delivery methods, customer platforms, or tooling

Purpose

This policy defines how Cloudnaut integrates security into software, automation, and infrastructure-as-code delivery.

Scope

This policy applies to application code, scripts, Terraform, Terragrunt, AWS CDK, CloudFormation and comparable infrastructure-as-code, configuration, and technical deliverables produced for customers.

Requirements

  1. Requirements and design are reviewed for security impact, data handling, access, and customer separation before implementation where material risk exists.
  2. Customer work is performed in customer-dedicated or engagement-dedicated repositories, groups, or branches as defined for the engagement.
  3. Changes are merged only after peer review through pull requests or an equivalent documented review process.
  4. Dependencies and supported ecosystems are monitored using Dependabot and Snyk where the repository and customer context permit.
  5. Secrets, credentials, and tokens are not stored in source repositories; customer-approved secret management and environment controls apply.
  6. Security findings are triaged before customer delivery; material issues are remediated or documented with customer approval when deferral is unavoidable.
  7. Delivery uses customer-approved channels: repositories, artifacts, ticketing, or documented handover mechanisms.

Design assurance

For higher-risk changes, engineering performs structured design review covering trust boundaries, identities and credentials, network exposure, data classification, and rollback or recovery considerations.

Records

Typical evidence includes pull requests and approvals, commit history, scan outputs, design notes, and customer acceptance where applicable.