Security processes: data and code control
Use of third-party software
The Macro application makes use of open source and proprietary software libraries. Macro's codebase integration and distribution patterns also make use of open source and proprietary software. For any third party proprietary SDKs, Macro maintains the necessary licenses for redistribution in our product in binary form. Open source software and proprietary software is audited through manual and automated testing. No third party software uses the internet for communication (no “phone home”).
Pre-release testing & quality assurance
Macro is thoroughly tested before release by internal engineers and QA professionals. All builds are codesigned on Mac and Windows using Apple Developer and Extended Validation Code Signing respectively.
For licensing purposes, Macro employs an internal authentication mechanism for services regarding transmitting user and organizational data relevant to licensing keys, which has data-at-rest and in-motion encryption for certain tasks, using industry-standard AES-256 protocols.
Crash & User Analytics, as discussed above, have logs that can be enabled to report non-sensitive information back to Macro. This information is encrypted in transit and at rest.
Security best practices
This section outlines the non-user facing elements of our security.
Code for the application is stored and versioned in Github and released are marked using Github releases. There are several types of scans runs on the code:
- Code scans for each PR. Each pull request is run through automated formatting and code scanning tools, requires a pull request template that reports any security changes, and is reviewed by 3rd parties before merging into the main branch.
- Continuous dependency scanning. Pull requests are automatically opened by a code scanning bot for any dependencies that need to be updated due to security vulnerabilities. These PRs take priority in our review and merge queue. Dependency packages are versioned according to a lock file and are not updated automatically to mitigate MITM and other attacks. Dependencies are also scanned for any outbound IP requests to eliminate any phone-home vulnerabilities or attacks.
- Code scans upon release. Our app does not make use of continuous deployment; all releases are manually built, QA'd, and released for testers before our business clients. Each release distributable is scanned as a final check before release.
Secure coding, IP, and other best practices
Macro follows secure coding best practices as described below.
- We mandate password managers, SSO, and 2FA across business systems for all contributors.
- Access to data and systems is provisioned by management according to the principle of least privilege.
- Branch protection protects the main git branch from un-reviewed pull requests
- All first party code for the application and related systems is completed by full-time employees or full-time contractors of the Company, who reside or hold citizenship in the United States or Canada and have formal training in Computer Science and/or Software Engineering.
- All access permissions are removed immediately when a contributor leaves the organization.
- All contributors hold requisite IP assignment agreements with the Company.