Foxit Software is committed to building secure, reliable, and trustworthy products through a mature and continuously improving Secure Software Development Lifecycle (S-SDLC). Security and privacy are integrated into every stage of product development and operations, rather than treated as an afterthought. Foxit's development security practices are aligned with industry-recognized standards, informed by Microsoft's SDL, and adapted to Foxit's products, technologies, and agile development model.
Core Security Objectives
Reduce Security Issues: Prevent vulnerabilities at the source through secure design, secure coding practices, and proactive security testing.
Reduce Impact of Security Issues: Apply layered security controls, resilience planning, and disaster recovery capabilities to minimize impact when incidents occur.
Shorten Time to Remediation: Operate structured security response processes integrated into continuous development workflows for rapid detection and remediation.
Strategic Approach
Shift-Left Security: Security considerations are integrated from the earliest stages (requirements, architecture, design), preventing vulnerabilities, reducing risk, and streamlining remediation through early attention.
Culture and Education: Security responsibilities are clearly defined and reinforced through role-based training, with periodic refresh training covering emerging threats and secure design practices.
Full Lifecycle Security: Security activities span the entire software lifecycle from design to post-deployment monitoring, with continuous validation ensuring security controls remain effective at all times.
Secure Software Development Lifecycle
Foxit's S-SDLC defines mandatory security activities across series stages: Training and Awareness (security training for all roles), Requirements and Design (threat modeling and risk tracking), Quality Gates (minimum security thresholds enforced), Implementation (secure coding standards and automated checks), and Verification and Release (security testing and cross-functional reviews before release).
Security tasks are integrated into agile development processes and categorized by frequency—Initial Requirements, Per-Sprint, and Periodic Tasks. Automated tracking and dashboards maintain traceability, ensuring security activities stay synchronized with business rhythm.
Tools and Automation
Foxit employs a layered tool strategy combining testing tools (static analysis, credential scanning, dynamic testing, component governance, container scanning) with management tools (defect tracking, task management, documentation systems, architecture visualization) to ensure end-to-end visibility and accountability.
Vulnerability Management
Foxit Software is an official CVE Numbering Authority (CNA), authorized to assign standardized CVE identifiers for product vulnerabilities. Vulnerabilities are classified using CVSS v3.0, assigned to responsible teams for remediation, undergo rigorous verification, and are transparently communicated to internal and external stakeholders.
Conclusion
Foxit's Development Security program integrates security as a core strategic enabler across the entire software lifecycle. Through structured processes, clearly defined responsibilities, and continuous validation, security directly supports business objectives, regulatory compliance, and customer trust.