Skip to content
Changineers Engineering Handbook

Secure development

How Changineers implements the Secure Development Policy: design, build, review, ship.

The Secure Development Policy is published in the Changineers trust portal. This page is the handbook index for the procedures that implement it. The beliefs that underpin those procedures are on Engineering principles.

What’s required

Section titled “What’s required”

Engineering changes go through a design phase before code is written for non-trivial work, and reach main through pull requests with automated checks (tests, linting, dependency vulnerability scanning, secrets scanning). Application security testing combines static analysis on every PR with an external penetration test once a year. External researchers can report vulnerabilities through a published disclosure channel.

Implementing procedures

Section titled “Implementing procedures”
TopicPage
How features are scoped, drafted, and approved before code is writtenSolution design
Branch model, PR mechanics, CI gates, dependency and secret handlingShipping code
Annual external penetration testing and how findings are trackedPenetration testing
How external researchers can report security issuesResponsible disclosure

Hiring & onboarding

Acceptable use of AI tools Approved software

Building software

Engineering principles Secure development Solution design Shipping code Penetration testing

Shipping & operations

Operations security Architecture Change management Emergency change Configuration baselines Observability Threat detection Vulnerability management

Data

Customer data deletion

Resilience & response

Incident response

Public

Modern slavery statement Responsible disclosure

Deprecated (pending removal)

Security Program Overview Policy Management Compliance Audits and External Communications Security Architecture and Operating Model Roles, Responsibilities and Training Risk Management System Audits, Monitoring and Assessments HR and Personnel Security Access Facility Access and Physical Security Data Management Data Protection Secure Software Development and Product Security Configuration and Change Management Threat Detection and Prevention Vulnerability Management Mobile Device Security and Media Management Business Continuity and Disaster Recovery Incident Response Breach Investigation and Notification Third Party Security and Vendor Risk Management Employee Handbook Subprocessors