Security best-practices
This document describes how the integrity of software produced by Duende Software is maintained during the software development life cycle.
Data processing
Our products are off-the shelf downloadable developer components. They are not managed services or SaaS - nor do we store, have access to, or process any of our customers’ data or their customers’ data.
Systems access
- Multiple systems are used in the development life cycle, including GitHub, NuGet, and Microsoft Azure Key Vault.
- Multi-factor authentication is required for all services mentioned above.
- Only a limited subset of Duende Software employees act as administrators for each system.
Software development
- All code is stored in GitHub.
- Any code added to a project must be added via pull request.
- At least one other staff member must review a pull request before it can be merged to a release branch.
- Static code security analysis is performed for every check-in (using GitHub CodeQL).
Testing
- Automated test suites are run on code in every pull request branch.
- Pull requests cannot be merged if the automated test suite fails.
Deployment
- Merging a pull request does not immediately release new features to users, this requires an additional release step.
- All compiled software packages with associated source are available as GitHub releases.
- Compiled software libraries (such as Duende IdentityServer) are published to NuGet.
- Packages must be pushed to NuGet by a Duende Software staff member only after additional validation by the staff member.
- All NuGet packages are signed with a code signing certificate
- The private key (RSA 4096 bits) is stored in Azure Key Vault.
- The private key never leaves Key Vault and the signature process is performed by Key Vault.
- NuGet will validate the package signature with Duende’s public key to verify they were legitimately built by Duende Software and have not been compromised or tampered with.
- NuGet client tooling can be configured to accept signed packages only.
- Once on NuGet, the package is available for end users to update their own solutions.
- End users still must take explicit action to upgrade after reviewing the package’s release notes.
Vulnerability management process
- Potential security vulnerabilities can be responsibly disclosed via our contact form.
- We guarantee to reply within two US business days.
- All licenses includes a security notification service.
- Whenever a security vulnerability has been confirmed and fixed, customers will get a private update prior to public release.
- We will publish an official advisory
Dependencies
IdentityServer has two dependencies:
Certification
Duende IdentityServer is a certified implementation of OpenID Connect.