Summary

WeThrive partners with a trusted 3rd party development house – DabApps Limited (DAL). This partnership is over 5 years old.

DabApps is a medium sized development house in Brighton with a team of 25.

DAL uses industry best practices for security and data management. The WeThrive platform is run and managed by DAL using Amazon Web Servers located in Amazon’s Irish facility.

DAL supports and follows the practices and guidelines in ISO27001 but is not accredited.

· A separate software development document is detailed in this document.

· A separate patch and vulnerability document is also detailed.

SOCII is a US centric requirement, and the UK equivalent is Cyber Essentials.

DAL is Cyber Essentials accredited.

The data breach responsibility lies with WeThrive. The contact for any data breaches is richard.watney@wethrive.net , Commercial Director.

DAL is responsible via its contract with WeThrive for data compliance and their GDPR officer is: Edward Hickey, Commercial Director (ed@dabapps.com)

We take the elements of agile methodologies that are best suited to your project, timescales and budget.

Our proposal seeks to provide you with a design and development approach that fulfils all of the major requirements of the app. We also provide a cost estimate for design and development to guide your investment decisions.

Design and development are done in cycles (sprints), these short iterative cycles allow review of progress, changes in requirements and re-prioritising on a regular basis. Each sprint consists of planning, implementation, testing and retrospective phases.

The agile approach gives maximum flexibility both in terms of the quality of the final app and the management of the development budget. It also gives us the power to manage complex projects in their entirety.

Projects are led by a dedicated Project Manager and assigned Design and Technical Leads. An experienced multidisciplinary team will work with you throughout the development lifecycle.

The design for new features are split into two phases – a research phase, and a design phase.

Starting with research helps define the problem we are being asked to solve, exploring business goals and user needs, informing our designs. This often takes the form of an exploratory workshop.

The design phase starts at the lowest fidelity needed to make sensible decisions. This often is simple wireframes, that helps decide what we are making, before moving to the creation of higher fidelity mockups that focus on visual design.

Wireframes can be made on a sliding scale of cost and fidelity, from simple workshop exercises captured on a whiteboard, to more polished deliverables created using dedicated wireframing tools, depending on project needs.

High fidelity designs are shared using an online prototyping tool, which you can review and comment on. This reduces misinformation, saving time, effort and money. Prototypes are great for getting other stakeholders on-board faster, reducing the need for lengthy communication or discussion – showing is always better than telling.

If the primary usage is on mobile web, we design responsively using a “mobile-first” approach, looking at how content fits at mobile sizes and scaling up from there. This helps prioritise features and ensures your website works well across a wide range of devices.

For mobile apps, static prototypes can be made for both mobile and desktop if needed and previewed directly on your phone like a real application for key screens. Using a static design prototype, key parts of an app can be tested with end users before development begins to test for comprehension and value.

We can use any of your existing branding or work with you to come up with suitable branding and logo design that suits your vision and audience.

This research and design process gives you greater confidence in the final build and provides us with a clearer specification to work to. In addition to delivering the best possible app to you, we have found this common-sense approach by far the most time and cost-efficient approach to application design and development.

DabApps uses a well-integrated set of open-source technologies to build backend systems and web and mobile UIs. We select widely-used, reliable technologies that we believe are likely to be well-maintained in future and offer a good trade-off of development speed, features and simplicity.

For backend systems, we use Django, a modern open-source web development framework written using the Python programming language.

Python is a mature, well-established language used by organisations such as Google, YouTube, NASA, Dropbox and the New York Stock Exchange. It is a dynamic language in the same family as PHP, Ruby and JavaScript, and encourages maintainable, readable code and high performance. Python is among the top five most widely-used programming languages on the planet.

Django provides a toolkit for rapidly building secure, high-performance web applications: request routing, authentication, database interaction, validation etc. It is known for its large

user and developer community, and its excellent documentation. Originally built in 2003 to run large content-driven web applications for a newspaper publisher, it was open-sourced in 2005 and has since enjoyed a steady increase in popularity. It is now used by organisations such as Instagram, Mozilla, Eventbrite and National Geographic among others.

We believe that the Django framework is the best choice for delivering robust, maintainable web applications to tight deadlines. It has proven to be a stable and scalable technology and has a direct impact on the speed of our development and project delivery.

The data stored in the backend will be exposed via an Application Programming Interface (API, also known as Web API), which the user facing front-end (browser-based web or mobile apps) will connect to in order to receive content for display to the users and perform actions.

We have a very well-established set of tools for building web APIs based on Django REST Framework, an open-source project used by thousands of individuals and companies around the world. The lead developer of Django REST framework was a founding member of DabApps and our expertise in building APIs is a key part of almost every project we undertake.

For browser-based user interfaces, we use ReactJS, a project that was initiated by Facebook and has since become the most popular JavaScript framework for building UIs. In addition to React, we use Redux for in- browser state management.

For mobile applications, we use React Native. Another Facebook-initiated project, this allows rapid creation of native mobile UIs using web-like building blocks that work across iOS and Android.

We use SSL by default with all our sites. All data will be hosted by AWS and covered by the security of their data centres. Additionally, many of our existing applications are routinely penetration tested and we apply any lessons learned retroactively to our other sites (if necessary)

We have experience in building sites that can have many thousands of users. Using the AWS infrastructure as a basis means we can always scale hardware, but we also include monitoring of the performance of the site using AWS and other tools, so can react to issues when they occur.

We write self-commenting code using self-explanatory variable, method names and comments. Further design level documentation will be available on request. We have used both Sphinx and MkDocs (http://www.mkdocs.org/) for code documentation and are able to use these as required.

We have extensive internal testing procedures, including automated unit and integration tests for front and backend code. We also produce testing scripts to allow easy manual testing.

However, we encourage clients to be fully engaged in the testing and quality assurance process at each stage of the build, which tends to produce a smoother transition from development to release.

DabApps leverages third-party open source libraries and frameworks when building applications for clients. Any of these dependencies may be vulnerable to exploitation due to unintended behaviour of code contributed by the developers of the dependency. This third party code is used under open source licences which disavow the authors of legal or moral responsibility for such vulnerabilities. Open source code is community-driven and so it is up to us to select dependencies with mature, responsible communities who take security seriously.

· Vulnerability - a vulnerability is an unhandled outcome in a program or system that can potentially be exploited to adversely impact a computer system.

· Exploit - software that is written usually by attackers which leverages a vulnerability to circumvent security controls.

· Patch - also referred to as a software update. From time to time software vendors will release updates in the form of ‘patches’ to ensure their software is not susceptible to Vulnerabilities.

By far the most critical component in our technology stack is our backend web framework. This is where critical business logic including authentication, authorisation and permissions checks exists, as well as code that manages user sessions and mediates interactions with the database.

We use the Django web framework for all server-side code. Django is mature and very widely used by large organisations including governments. The Django Software Foundation is a non-profit entity which sponsors the development of Django and ensures that security issues are responded to in a structured and timely manner.

Django has a wide-ranging set of security policies including:

Further details of Django’s security policies can be found at the following URLs:

https://docs.djangoproject.com/en/dev/releases/security/ https://www.djangoproject.com/foundation/teams/#security-team

Django itself has an extremely thorough approach to security in the framework, including default behaviour and built-in features designed to protect against cross site scripting (XSS), cross-site request forgery (CSRF), SQL injection, SSL/HTTPS support, host header validation, cross-origin policies, session security, strong password encryption etc.

Further details of Django’s security features can be found at the following URLs:

https://docs.djangoproject.com/en/dev/topics/security/ https://docs.djangoproject.com/en/dev/topics/auth/passwords/

DabApps uses only Long Term Support (LTS) releases of Django to ensure all customers are protected by security patches while minimising maintenance burden. When a new LTS version is released (generally every three years), we endeavour to upgrade all client projects before the previous LTS version is deprecated.

When security releases are issued for Django or any other dependency, our security team at DabApps assesses the security content of the release and makes a decision about whether the patches will have an impact on our customers based on our particular usage of that dependency. If we determine that our customers are impacted we put into place an emergency procedure to upgrade all client projects, which we aim to complete within 24 hours of the release being issued.

DabApps also hosts web application backends for our customers. We use only managed hosting platforms and so are not directly responsible for patch management and security upgrades of operating systems.

Our main hosting suppliers are Heroku for application backend hosting and Amazon Web Services (via their RDS, S3 and other products) for relational database, file storage and other ancillary services. Further details of their security policies can be found at the following

URLs:

https://www.heroku.com/policy/security https://aws.amazon.com/security/

For our internal IT systems (employee laptops etc) we are currently compliant with (and working towards certification for) the government-backed Cyber Essentials guidelines. Full details of this can be found at the following URL:

https://www.ncsc.gov.uk/cyberessentials/overview