We ensure the security of our product through a robust software development lifecycle that integrates OWASP's industry-recommended practices for producing secure code, coupled with extensive testing to guarantee a secure output. PHP Secure's software development process implements a strict Continuous Integration/Continuous Deployment pipeline that includes mandatory gates at each stage, segregated code peer reviews, and comprehensive tracking of any changes being made. Moreover, we follow standard coding best practices and conduct routine peer reviews of our entire code and configuration to maintain security. To achieve this, we rely on various standard frameworks, including OWASP, STIG, and CIS, among others.
PHP Secure relies on Amazon Web Services for infrastructure hosting. We do not use third parties for development or support, and our entire development and operations teams are in-house to PHP Secure. At PHP Secure, we take the security and privacy of our customers' data extremely seriously. That's why we ensure that only a small, carefully selected group of our employees has access to your data. Our team operates on a strict "need-to-know" basis, and we adhere to the principle of least privilege to ensure that access and permissions are limited to only the data required to perform the necessary tasks.
Furthermore, we firmly believe that your data, including your scan results,belong to you and only to you. We do not sell or transmit your information to any third party. You can permanently delete your scan results whenever you wish.
Hosting & Resilience
PHP Secure is hosted primarily in the Frankfurt Region. We occasionally use services located in the AWS Ireland Region when they are not available in Frankfurt.
In addition to our proven infrastructure resilience, our business continuity plan ensures that our operations continue to function effectively in the event of a major disruption. Our team is located in United Kingdom, and our technology infrastructure allows for flexible remote working.
In order to perform code analysis, report issues, and provide metrics in the PHP Secure dashboard, source code must be uploaded to the PHP Secure server. The files are stored temporarily and securely in an Amazon EBS data storage service until your scan is completed. The uploaded files are not shared with any third party during this process.
Your code is immediately deleted from our servers after scans. This is why you have to reupload your files or respecify your Git repository to rescan.
In addition, customers have complete control over their projects. You can delete your projects and issue reports from PHP Secure at any time.
At the infrastructure level, data access is controlled by restricting the host to network zones that can only be accessed by PHP Secure Operations. Our production environment is strictly separated from the development and testing environments to ensure maximum security.
At PHP Secure, we take data encryption seriously. Our databases and backups are encrypted to AES-128-GCM standards at rest in all environments, with keys managed by PHP Secure. Logs are stored in protected S3 buckets and encrypted with AWS-managed keys. We strictly separate our production environment from all non-production environments, including development and testing environments. Before being used in any non-production environment, sensitive data is sanitized in a dedicated environment.
We follow multiple industry-recognized frameworks, including the National Institute of Standards and Technology (NIST) Cyber Security Framework and the ISO/IEC 27001 Information Security Management Framework.
At the level of software security, we guarantee that access to private source code is restricted to authorized members of the code repository platform organization and a limited number of designated PHP Secure Operations team members, who are permitted access solely for the purposes of providing support.