Secure Development Process v1

Secure Development Process v1

Effective: August 10, 2020 — September 13, 2023

Modern software is complex and requires ongoing care to ensure systems are secure against threats. Intapp has a multi-faceted security program that spans our entire product suite including software development and cloud operations. Our security program is built upon change management, secure coding, testing, and vulnerability management practices and aligns to industry standards including ISO27001.

Change Management

All changes to our software and systems are tracked using internal ticketing systems. Tickets for software changes include acceptance criteria which define specific requirements that must be met prior to release. This extends to all aspects of the feature including security requirements. When considering the appropriate measures for securing our systems, we use a wide range of methods and data sources, such as attack vector analysis, lessons learned from previous features, internal or external commitments, or industry best practices.

Secure Coding Practices

We maintain internal coding standards that address code style, architectural considerations, and security aspects such as those covered in the OWASP Top 10, licenses that are acceptable if we are using external sources, etc. The set of standards are documented in our internal knowledge base.

Security Testing

In addition to the pre-release security tests mentioned previously, we regularly assess our systems through a variety of interactive tests. These tests are performed by our security team, quality assurance team, and third-party security assessment firms. We retain these test results and use this feedback to drive product quality through continuous improvement programs.

Vulnerability Management

We monitor our software and systems for the presence of vulnerable components. Vulnerability scans are performed on a regular schedule, and security patches are applied as part of regular maintenance. Should a critical vulnerability need to be addressed ahead of regular maintenance, we may choose to mitigate the vulnerability or schedule an off-cycle maintenance window. These practices are formally documented in our Vulnerability Remediation Policy.

We’re happy to share more details about our security practices upon request. Customers may reach out to their account manager with any specific questions or to request a copy of our Cloud Kit that contains additional documentation. Please note that some documents contain a level of detail that we don’t share publicly and will require an NDA prior to sharing.