NEXT maintains documented Software Development Life Cycle (SDLC) policies and procedures to guide developers in implementing and documenting application and infrastructure changes.
All code is deploy and tested in a staging (development) environment that is functionality equivalent to production environments. NEXT performs testing and quality assurance procedures in this staging environment before releasing to the production environment that is used by customers. No customer data is ever used or accessible from staging or local development environments.
NEXT employs Git version control to maintain source code versions and manage the migration of source code through the development process through to release. Using a decentralized version control allows multiple developers to work simultaneously on features, bug fixes, and new releases; it also allows each developer to work on their own local code branches in a local environment. Git maintains a history of code changes, supports rollback capabilities and tracks changes to individually identifiable developers.
All code is written, tested, and saved in a local repository before being synced to the origin repository. Writing code locally decouples the developer from the production version of the NEXT code base and insulates NEXT from accidental code changes that could affect users. Any changes involving the persistence layer (database) are performed locally when developing new code, where errors or bugs can be spotted before the change is deployed to users.
Code changes are managed and reviewed through Git pull requests. Every pull request is manually reviewed and approved by two developers before it can be merged. Automatic and integrated testing is also performed with each pull request, and all tests must pass before a code change can be merged.
Developers are trained in evaluating code for security defects as part of code review, and automatic testing is employed to test against common security defects.
Security bugs represent key issues and should be resolved quickly to maintain the security, confidentiality, privacy, processing integrity, and availability of the NEXT service. NEXT has SLAs in place to enforce compliance with resolving security bugs within reasonable timelines.