This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Code and delivery

Does the customer do source code for the agent? As it relates to OS query?

• Secureframe does not manage the source code for OSQuery, but customers can check the version of OSQuery running on their device. They can view the public OSQuery source code on GitHub.

How can the effectiveness of code reviews be maintained?

• To maintain the effectiveness of code reviews, it is beneficial to monitor the general workload of reviewers and to have them review applications they are familiar with.

How may code reviews be performed?

• Code reviews may be performed using either manual or automated processes, or a combination of both.

If manual code reviews are performed for bespoke and custom software prior to release to production, what elements are required?

• If manual code reviews are performed for bespoke and custom software prior to release to production, code changes are: Reviewed by individuals other than the originating code author, and who are knowledgeable about code-review techniques and secure coding practices; and Reviewed and approved by management prior to release.

To what software does the requirement for code reviews apply?

• This requirement for code reviews applies to all bespoke and custom software (both internal and public facing), as part of the system development lifecycle.

What has been found to improve the quality of the code review process?

• Having a formal review methodology and review checklists has been found to improve the quality of the code review process.

What should be considered for inclusion in code reviews?

• The following items should be considered for inclusion in code reviews: Searching for undocumented features (implant tools, backdoors); Confirming that software securely uses external components’ functions (libraries, frameworks, APIs, etc.); Checking for correct use of logging to prevent sensitive data from getting into logs; Analysis of insecure code structures that may contain potential vulnerabilities related to common software attacks identified in Requirement 6.2.4; and Checking the application’s behavior to detect logical vulnerabilities.

Where can more information about code review be found?

• See the OWASP Code Review Guide (No valid URL provided).

Who can conduct manual code reviews?

• Manual code reviews can be conducted by knowledgeable internal personnel or knowledgeable third-party personnel.

Why is it important to have code reviewed by someone other than the original author?

• Having code reviewed by someone other than the original author, who is both experienced in code reviews and knowledgeable about secure coding practices, minimizes the possibility that code containing security or logic errors that could affect the security of cardholder data is released into a production environment.

SDLC and application testing

How can I obtain a Software Development Life Cycle (SDLC) document?

• Our Secure Development Policy serves as our Software Development Life Cycle (SDLC) document. This policy is included in most frameworks we support. You can access it by navigating to your Policies section in Secureframe and searching for Secure Development Policy. From there, you can view, download, or share it as needed for your compliance requirements.

Is there a template available for a Secure Development Lifecycle (SDL)?

• Yes, Secureframe provides a Secure Development Policy template that aligns with best practices and supports your Secure Development Lifecycle requirements.

What do you recommend for open-source DAST or SAST tools?

• For open-source DAST, we recommend OWASP ZAP. For SAST, SonarCloud is a good option. Scans can be set to monthly, quarterly, or annually based on your organization’s needs. Frequent scanning is recommended as a best practice to identify vulnerabilities early.

What is the difference between Dynamic application security testing (DAST) and Static application security testing (SAST)?

• The main difference is that SAST scans the application code at rest to find security vulnerabilities, while DAST tests the running application without access to its source code. Both are vulnerability scans.

Source control and repositories

How does Secureframe act as a repository for compliance evidence?

• Secureframe organizes all evidence by control and framework, tracks evidence health, sets timelines for updates, and allows users to assign test owners, leave comments, and upload additional proof.

If you don't have any formal ticket system for Independent approval for infrastructure changes tests would a Pull Request (PR) suffice?

• Yes, a Pull Request (PR) would work as evidence for infrastructure changes, as it involves internal code review and approval.

We have already-closed pull requests that were not blocking and did not have emergency labels applied before merge. How should we handle these retrospectively?

• If the emergency label was applied before the PR was merged, a re-sync in Secureframe may resolve the test. If the label was applied after merging, the test will not pass through re-sync alone. In that case, the recommended path is to document those PRs through Secureframe's exception or risk acceptance workflow, acknowledging that the standard approval process was not followed and capturing the business justification.

What type of evidence do we submit for a Pull Request?

• If your developers are using a checklist before submitting a PR, that should be sufficient. You can also submit the checklist along with an example channel request. If the auditor is unsure, they will ask for clarification.

Additional customer questions

How do I scope for compliance if we don’t do software development?

• Even if you don’t do software development, scoping is still essential. Ask yourself: Do you host customer-facing portals or use cloud providers like AWS or Azure? Do you use low-code/no-code tools or outsource development? These may still bring security, access control, and vendor management requirements into scope.

Do I need the App Management package to connect Rippling? Can you explain more?

Yes. To integrate Rippling with Secureframe, you need to have Rippling’s App Management package enabled. This package is required because it provides the identity and application management features that allow Secureframe to pull in employee data, manage access, and support compliance workflows.

The App Management package includes:

Directory & Identity Management – syncs employee data and access across your workforce.

App Integrations – connects to 400+ third-party apps like Google Workspace, Office 365, AWS, and GitHub.

Single Sign-On (SSO) – employees can log into multiple applications with one click.

Two-Factor Authentication – additional security with YubiKey, Duo, or OTP.

Password Management – for apps that don’t support SSO, Rippling provides secure password sharing at the team/role level.

Lifecycle Automation – creates accounts for new hires and automatically disables accounts for terminated employees.

Without this package, the Secureframe integration will not be able to connect properly. You’ll be prompted to purchase/enable it if it isn’t already included in your Rippling subscription.

If I apply a change to all in-scope production repositories, is there a way to roll back or unwind those changes later?

No. Secureframe does not currently provide a rollback or history-tracking feature for repository scope changes. If you apply a change across all in-scope production repositories, the update is applied directly and cannot be automatically reversed.