search icon

Secure software development

Gain insight into our software development process and how we prioritise security at every phase, from initial design, through to operating our software day to day. Security is at the heart of how we design, develop and run our products.

Foundations of secure development

Our development approach is designed to prioritise security at every step.

Secure-by-design

We place our customer's security at the very core of what our products do. Security is built in from the outset, rather than being bolted on later.

Clean and secure code

Sage secure coding practices are guided by the Open Web Application Security Project (OWASP) standards and guidelines. We are committed to producing clean and secure code.

Continuous testing

At Sage, our testing never stops. By continuously evaluating our software, we ensure it meets the highest possible standards of security and performance.

Security team upskilling

We empower our engineers with ongoing security training, while our Security Champions, rooted in the BSIMM model, actively pinpoint and address vulnerabilities.

Secure software development lifecycle

Sage Secure Software Development Lifecycle (SDLC) standard is followed by the product engineering teams, including secure coding standards and guidelines.

Pre-release

Security controls

The Sage product security control standard defines the security controls that we expect our products to adopt. Based on leading industry frameworks such as OWASP ASVS and NIST, our standard has been tailored to be a comprehensive framework to help reduce cyber-security risks that impact our products and customers. It includes security controls throughout the development lifecycle and in the operation of our products.

Pre-release

Sage security champions

Our global security team provide expert advice and support to product engineering teams in Sage, and also draw upon our industry-leading security champions programme. Security champions are established best practice in the software industry, where identified software developers and engineers work as an extension of the security team. They do this by contributing to threat modelling, triaging and resolving vulnerabilities and helping to respond to incidents. All Sage security champions undertake specialised security training, participate in competitions and events and provide an invaluable contribution to our security mission.

Pre-release

Threat modelling

Part of our commitment to secure by design, threat modelling is used to understand how our products and systems could be abused or attacked and allows us to design security into our products from the outset. We use various techniques for modelling our systems, including STRIDE, and we train and involve a wide number of people in threat modelling, including application security and cloud security experts, developers, and software architects.

Pre-release

Security training

Equipping our team with the necessary skills and fostering a culture of shared security responsibility is crucial for staying ahead of threats and ensuring the development of secure products. We heavily invest in training our software developers, engineers, and security teams, collaborating with industry leaders such as Pluralsight, LinkedIn Learning, and Immersive Labs to provide comprehensive theoretical and hands-on, lab-based training.

Pre-release

Secure coding standards

We support our developers in writing high-quality and secure code by developing secure coding standards that outline what we expect so that common security weaknesses are avoided. We follow OWASP and Cloud Security Alliance guidance amongst others and adapt it to fit Sage’s context and products.

Pre-release

Security scanning and code review

We deploy code scanning and security testing tools throughout our SDLC to catch vulnerabilities and coding errors as early as possible so they can be addressed before entering production. Our partnership with Microsoft is pivotal to our security posture, and many of our products use GitHub advanced security. Static and dynamic application security testing, secret scanning and dependency scanning are among the tools integrated into our software development and delivery pipelines, ensuring we have the visibility to address security risks as early as possible.

Pre-release

Penetration testing

Sage has invested in building our own internal offensive security team who are responsible for conducting attack simulations (both penetration tests and red teaming exercises) against our products to help identify weaknesses that can be exploited by bad actors, allowing us to resolve them in a controlled and timely way. We also partner with external penetration testing firms to give us an independent view and provide us with healthy challenge.

Pre-release

Release Approval

For new products and changes to existing products that could have an impact on security, we undertake structured release reviews to ensure our security expectations have been met. We will always put trust and security first, and we will not release any software that does not meet our high security standards.

Release

Post-release

Security monitoring and incident response

Our focus on security does not stop once a product has been developed and delivered. We actively monitor our products to spot suspicious behaviour, and quickly investigate and respond to events. Our dedicated cyber defensive operations team monitor our systems 24 hours a day, every day, and our global incident response team can quickly coordinate responses across all parts of the business.

Post-release

Bug bounty programme

Sage runs a private bug bounty program through HackerOne. Approved security researchers and ethical hackers test Sage products for vulnerabilities, simulating real-world attacks. We reward them for valid findings and collaborate transparently to swiftly resolve issues.

Post-release

Continuous improvement

The insights from our security tools, incident experiences, penetration testing, and red teaming inform product protection enhancements. We regularly review this data to improve training, standards, and cybersecurity awareness events like Cyber Security Week and our annual Security Champions event.

Continue your journey

Learn more about our unwavering commitment to cyber security. Dive deeper with our dedicated pages on monitoring operations and standards compliance.

Monitoring and operations

Explore the depth of our 24/7 monitoring and operations strategy, dedicated to ensuring the utmost security and reliability of your data and systems.

Standards and compliance

Delve into our commitment to standards and compliance, and discover how Sage ensures operations that exceed global best practices.

Give Feedback