Got an idea? A vision?

We want to hear it.

Let’s Chat & Make It Happen

…or email us at hello@bluewhaleapps.com and we’ll follow up promptly!

Application Security Policy

Version: 9.2.4 | Effective Date: September 1, 2019

  • Document Created: August 15, 2019
  • Last Reviewed: January 22, 2025
  • Next Review Date: January 2026
  • Approved By: Chief Technology Officer
  • Policy Owner: Security Officer

4.1 Purpose

This Application Security Policy establishes security requirements, standards, and controls for the design, development, acquisition, deployment, operation, and maintenance of applications throughout their entire lifecycle.

4.2 Scope

Applies to all application types (web, mobile, desktop, APIs), all lifecycle phases, and all personnel involved in development, testing, deployment, and operations.

4.3 Policy Statements

4.3.1 Secure Development Practices

All applications follow secure coding practices aligned with OWASP guidelines. Development processes incorporate OWASP Top 10 vulnerability awareness and mitigation strategies. Code reviews verify compliance with security requirements.

4.3.2 Input and Output Validation

All application input undergoes validation before processing to prevent injection attacks, buffer overflows, and malicious code execution. Output is encoded appropriately for context to prevent cross-site scripting and code injection.

4.3.3 Authentication and Session Management

Applications implement robust authentication mechanisms with strong password requirements, account lockout, and secure password reset. Multi-factor authentication (MFA) is required for all user access. Sessions implement secure timeout mechanisms and proper termination.

4.3.4 Single Sign-On (SSO)

Blue Whale Apps supports SAML 2.0 for enterprise single sign-on integration, enabling customers to manage authentication through existing identity providers.

4.3.5 Network Security and Hosting

Application network boundaries are protected by firewalls. Applications are hosted on AWS and Azure cloud platforms in US-based data centers (US-East region) with SOC 2 Type II certification and FedRAMP certified options available.

4.4 Vulnerability Management

Vulnerability assessments and penetration testing are conducted quarterly. Critical vulnerabilities are remediated immediately (24–48 hours), high vulnerabilities within 30 days, medium within 90 days. Automated security scanning is integrated into CI/CD pipelines.

4.5 Compliance

Supports ISO/IEC 27001:2022 (A.8.19, A.8.20, A.8.22, A.8.25, A.8.26, A.8.28), OWASP ASVS, NIST SP 800-53, SOC 2 Type II, PCI DSS, and FedRAMP.

Read Our Reviews