Hi Airbyte Team, Just wanted to confirm if Airbyte team has SSDLC?

HI @Abrar ul farhan Mohammed I don't think we're formally using SSDLC, could you tell me the reason behind this question? I might be able to answer more accurately. 🤔

Hi Augustin, We wanted to use Airbyte. Our infosec team asked us to find out if SSDLC is being followed.

@Harshith (Airbyte) @Augustin Lafanechere (Airbyte) "*I mean the reasoning behind SSDLC is essentially to ensure that the software is secure, static code analysis is being done to ensure vulnerabilities are not introduced. For software maintenance and functionality, testing. Essentially the concern here is that beings it's open source who is reviewing the source code to ensure malicious or faulty code is not placed within the software. By using the software even without Airbyte having access to our data, could create vulnerabilities in our systems that can be exploited. This is similar situation that happened with Solar winds"-* this was the concern team

Hi @Abrar ul farhan Mohammed we've no formal way of asserting the SSDLC level of compliance. But Airbyte team members are the sole reviewers able to merge PRs, and take care that non-malicious code gets introduced to the codebase. We wrote up a summary about our security/privacy level that might give you more details.

I am probably not the best person to comment on this. Here are what I know about this topic: • We have introduced SonarQube to perform static code analysis on our PRs. However, currently not every engineer is strictly following the suggestions on the SonarQube report. • We are doing a penetration testing with some external agency to check for security vulnerabilities in our cloud platform. @Charles Giardina (Airbyte) should know more about this. But he is on PTO today. Will be back on Monday.

What liren says is accurate. We run static analysis on our code base and based on those reports decide how to remediate.