Does SonarSource Implement secure coding practice

Does sona Implement secure coding practice consistent with industry standards and best practices for new development activities, including without limitation, the Security Considerations in the System Development Life Cycle (SDLC) published by the National Institute of Standards and Technology, the U.S. Department of Commerce; ISO/IEC 27034 Information technology – Security techniques – Applications security, published by the International Organization for Standardization and Security by Design from Cyber Security Agency of Singapore throughout the SDLC*

Hi,

Welcome to the community!

I’m not familiar with the specifics of those. Could you decode it for me and spell out what you need to know?

BTW, we are ISO27001 certified, and we run pen testing with an outside agency multiple times a year.

 
HTH,
Ann

Can you please provide documentation for ISO27001? Its not stated on the website or in the security statement.

This info has been asked in a few threads, but never really linked to proof.

Thanks,
Andrew

Hi Andrew,

Welcome to the community!

Just search for ‘SonarSource’ at https://www.iafcertsearch.org/

 
HTH,
Ann

@ganncamp,

Thank you for the reply, this is a new site to me. Thank you for sharing.

Sorry to be blunt here, but this seems like a incomplete answer. Meaning, why is this fact not listed in the Sonarcloud security statement or website at all?

Meaning, while its great to see that “Sonarsource” has this accreditation and “all products” - I dont feel any more confident that this ISO27001 actually applies to the sonarcloud product.
I think its a little unreasonable to assert for your customers to draw these conclusions or trace the breadcrumbs from Sonarsource to the sonarcloud product.

Can you please explicitly confirm, is sonarcloud ISO27001 certified?

Thank you kindly,
Andrew

Hi Andrew,

I cannot explicitly confirm that SonarCloud is ISO27001 certified. As stated above, SonarSource is certified. As to why this isn’t on our sites, it came through relatively recently and we’ve been distracted by a major rebranding.

 
HTH,
Ann

Hi Ann,

We are using SonarQube in the company I work for and we are working in a regulated space.

If we require proof of your SDLC processes and what level of qualification testing you execute, can these be provided? If so, how can I access them?

Kind Regards,
Sarah

Hi @sarahskehan,

Welcome to the community!

If you engage in a sales process your sales rep can help you with that.

 
Ann