> For the complete documentation index, see [llms.txt](https://docs.coherent.global/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.coherent.global/trust-center/coherent-trust-center/application-security.md).
# Application Security
Secure Application Development
Our application development process is a formalized, process-driven approach designed to maintain the stability of our applications. It governs how changes to our applications are documented, tested, reviewed, and approved.
[Status checks](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/collaborating-on-repositories-with-code-quality-features/about-status-checks) and [protected branches](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) in our code management platform are used to enforce a series of checks that must be completed before a pull request can be merged into the master branch. The process also includes code review, testing (where applicable), and merging approval by an engineer who didn't make the change or commit it.
[Continuous integration and Deployment (CI/CD)](https://en.wikipedia.org/wiki/CI/CD) tools automate the deployment process, including building, testing, tagging, versioning, and releasing deployable artifacts to staging, UAT, and then to production environments.
The deployment of changes into the higher environments is restricted to authorized personnel and segregated by the environment.
Code Analysis and Penetration Testing
Before deployment into the production environment, a series of checks are performed including manual code review and testing.
Static code analysis also known as [Static Application Security Test](https://en.wikipedia.org/wiki/Static_application_security_testing) (SAST) runs regularly against code repositories and blocks known misconfigurations from entering the code base.
Dynamic analysis, also known as [Dynamic Application Security Testing](https://en.wikipedia.org/wiki/Dynamic_application_security_testing) (DAST), is performed continually against our web applications and APIs. Automated tooling is used to identify potential security vulnerabilities, which then require additional code review and updates before promotion to production
Manual penetration testing by [CREST-certified](https://www.crest-approved.org/) penetration testers is performed once every quarter.
Vulnerability Management
We implement a multilayered approach to vulnerability scanning using a variety of tools to ensure comprehensive coverage of our technology stacks.
Vulnerability scans are configured to scan exploitable vulnerabilities daily and on-demand.
We use scanners such as [Trivy](https://trivy.dev/), [GitHub Dependabot](https://docs.github.com/en/code-security/dependabot), and [Amazon ECR](https://docs.aws.amazon.com/AmazonECR/latest/userguide/image-scanning.html) scanning to find vulnerabilities and misconfigurations across our repositories, container images, and Kubernetes clusters.
Patch Management
Patch management is prioritized based on the severity of the vulnerability that the patch addresses.
To the extent it is possible, we follow the predefined service-level agreement (SLA) for implementing the patches.
If patching cannot be implemented within the SLA, we must ensure that sufficient countermeasures are in place to mitigate the risk.
Key Management
Encryption keys for both in-transit and at-rest encryption are securely managed by the Spark platform.
[Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) (TLS) private keys for in-transit encryption are managed through our content delivery partner.
Application and database encryption keys for at-rest encryption are stored in a hardened Key Management System (KMS).
Keys are rotated at a frequency that is dependent upon the sensitivity of the data they’re encrypting and at the discretion of the team that manages the key.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.coherent.global/trust-center/coherent-trust-center/application-security.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.