• /
  • Log in

Secure Software Development Lifecycle

Software built at New Relic for our generally available New Relic One platform goes through these five phases.

Software development phase

Security control

Requirements

Risk assessment

Design

Threat modeling

Development

Secure coding standards and practices

Verification

Code review, security review, static code analysis, composition analysis, calculated hash, signed code

Deploy

Hacker One and the New Relic coordinated disclosure program, regular scans, third-party penetration tests

Requirements

Each project team for our generally available New Relic One platform is assigned a security engineer charged with reviewing and advising on the security of New Relic products. In the requirements building phase the security engineer performs a risk assessment and then adds security requirements for the project. Privacy and compliance experts are added to the project teams as needed.

Design

During the design phase, the New Relic security engineer collaborates with the stakeholders, engineering leaders, and architects to get a detailed shared understanding of the feature. Security engineers at New Relic contribute to the design process with stakeholders by creating a threat model documenting any acceptance criteria, features, or requirements to securely implement the feature. Using the threat model, the security engineer adds detailed specifications for the required controls to the project.

Build

Each product engineer receives secure coding training which includes topics such as the OWASP top 10, input sanitization, and using the secure frameworks and process already in place at New Relic. In the build phase the engineering team implements appropriate security features in the project following secure coding standards at New Relic.

Verification

Once feature complete, every pull request must be code reviewed by another engineer with write access to the code repository. In addition to code scanning software automatically checking for vulnerabilities against security policies, security engineers verify that safeguards and controls recommended in design, requirements, and assessment phases were implemented when needed.

New Relic performs static code and composition analysis to look for vulnerabilities in the code and dependencies.

Deploy

New Relic is in the process of including hashes and signatures. Anyone downloading files published by New Relic will be able to confirm their downloaded file has not been tampered with and is identical to the one published by New Relic.

Deployed code is monitored by stakeholders and product engineers in order to continue the iterative development process. The security team continues to evaluate the security of deployed code by performing regular security scans, third party penetration tests, and through the coordinated disclosure process via HackerOne.

For more help

If you need more help, check out these support and learning resources:

Create issueEdit page
Copyright © 2021 New Relic Inc.