Software built at New Relic for our generally available New Relic platform goes through these five phases.
Software development phase
Secure coding standards and practices
Code review, security review, static code analysis, composition analysis, calculated hash, signed code
Hacker One and the New Relic coordinated disclosure program, regular scans, third-party penetration tests
Each project team for our generally available New Relic platform is assigned a security engineer charged with reviewing and advising on the security of New Relic products. In the requirements building phase the security engineer performs a risk assessment and then adds security requirements for the project. Privacy and compliance experts are added to the project teams as needed.
During the design phase, the New Relic security engineer collaborates with the stakeholders, engineering leaders, and architects to get a detailed shared understanding of the feature. Security engineers at New Relic contribute to the design process with stakeholders by creating a threat model documenting any acceptance criteria, features, or requirements to securely implement the feature. Using the threat model, the security engineer adds detailed specifications for the required controls to the project.
Each product engineer receives secure coding training which includes topics such as the OWASP top 10, input sanitization, and using the secure frameworks and process already in place at New Relic. In the build phase the engineering team implements appropriate security features in the project following secure coding standards at New Relic.
Once feature complete, every pull request must be code reviewed by another engineer with write access to the code repository. In addition to code scanning software automatically checking for vulnerabilities against security policies, security engineers verify that safeguards and controls recommended in design, requirements, and assessment phases were implemented when needed.
New Relic performs static code and composition analysis to look for vulnerabilities in the code and dependencies.
New Relic is in the process of including hashes and signatures. Anyone downloading files published by New Relic will be able to confirm their downloaded file has not been tampered with and is identical to the one published by New Relic.
Deployed code is monitored by stakeholders and product engineers in order to continue the iterative development process. The security team continues to evaluate the security of deployed code by performing regular security scans, third party penetration tests, and through the coordinated disclosure process via HackerOne.