Vendor assessment

Aspose.Words Product Family
1

I am trying to complete a Vendor review as required by our new parent company. I contacted sales, but they refused to help me and directed me here. Who can I speak with for assistance on the questions below?

Vendor Questions:
Is there a formal Software Development Life Cycle (SDLC) process?
Does the SDLC process include integration testing, and acceptance testing?
Does the SDLC process include peer code review?
Is there a documented change management/change control process?
Does the application change management/change control process include change control procedures required for all changes to the production environment?
Does the application change management/change control process include testing prior to deployment?
Does the application change management/change control process include management approval prior to deployment?
Does the application change management/change control process include management approval for changes?
Does the application change management/change control process include review of code changes by information security?
Does the application change management/change control process include stakeholder communication and/or approvals?
Does the application change management/change control process include a list of individuals authorized to approve changes?
Does the application change management/change control process include documentation for all system changes?
Does the application change management/change control process include version control for all software?
Does the application change management/change control process include logging of all Change Requests?
Are applications evaluated from a security perspective prior to promotion to production?
Do pre-production application security reviews include abuse case test scripts?
Is a Secure Code Review performed regularly?
Is there a full secure code review for each release? If not, please explain the secure code review schedule and scope in the ‘Additional Information’ field.
Do secure code reviews include validation checks for the most critical web application security flaws including Cross Site Scripting, SQL injection (e.g., OWASP Top 10 vulnerabilities)?
Do secure code reviews include testing against common code vulnerabilities?
Are secure code reviews performed by individuals qualified to identify and correct code security flaws?

2

@josh.larkin We are working on your request and will reply soon.

3

@josh.larkin

Is there a formal Software Development Life Cycle (SDLC) process?

Yes

Does the SDLC process include integration testing, and acceptance testing?

Yes. Every change to the code is approved only after all 45k unit tests pass.

Does the SDLC process include peer code review?

Yes

Is there a documented change management/change control process?

Yes

Does the application change management/change control process include change control procedures required for all changes to the production environment?

Not applicable

Does the application change management/change control process include testing prior to deployment?

Yes

Does the application change management/change control process include management approval prior to deployment?

Yes

Does the application change management/change control process include management approval for changes?

Yes. Minor changes to the code are approved by product lead, global changes are approved by managers.

Does the application change management/change control process include review of code changes by information security?

Yes

Does the application change management/change control process include stakeholder communication and/or approvals?

Yes. We are always in touch with customers via our free and paid support channels.

Does the application change management/change control process include a list of individuals authorized to approve changes?

Yes

Does the application change management/change control process include documentation for all system changes?

Yes

Does the application change management/change control process include version control for all software?

Yes

Does the application change management/change control process include logging of all Change Requests?

Yes

Are applications evaluated from a security perspective prior to promotion to production?

Yes

Do pre-production application security reviews include abuse case test scripts?

Yes

Is a Secure Code Review performed regularly?

Yes

Is there a full secure code review for each release? If not, please explain the secure code review schedule and scope in the ‘Additional Information’ field.

Yes

Do secure code reviews include validation checks for the most critical web application security flaws including Cross Site Scripting, SQL injection (e.g., OWASP Top 10 vulnerabilities)?

Yes

Do secure code reviews include testing against common code vulnerabilities?

Yes

Are secure code reviews performed by individuals qualified to identify and correct code security flaws?

Yes